From 454ce423050890bdc8c3c90add3713592a3cab38 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 6 Nov 2025 00:03:16 +0900
Subject: [PATCH] test-network: disable several more sandbox features when
 running with sanitizers

These settings also imply seccomp.
Hopefully fixes #39567.
---
 test/test-network/systemd-networkd-tests.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index 6802646728c..93ad5635002 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -487,7 +487,19 @@ def create_service_dropin(service, command, additional_settings=None):
     if ubsan_options:
         drop_in += [f'Environment=UBSAN_OPTIONS="{ubsan_options}"']
     if asan_options or lsan_options or ubsan_options:
-        drop_in += ['SystemCallFilter=']
+        # Disable system call filter when running with sanitizers, as they seem to call filtered syscall at
+        # the very end of the execution and stuck the process. See issue #39567.
+        drop_in += [
+            'LockPersonality=no',
+            'ProtectClock=no',
+            'ProtectKernelLogs=no',
+            'RestrictAddressFamilies=',
+            'RestrictNamespaces=no',
+            'RestrictRealtime=no',
+            'RestrictSUIDSGID=no',
+            'SystemCallArchitectures=',
+            'SystemCallFilter=',
+        ]
     if use_valgrind or asan_options or lsan_options or ubsan_options:
         drop_in += ['MemoryDenyWriteExecute=no']
     if use_valgrind:
-- 
2.47.3