nspawn: add @keyring to default syscall allow_list

Keyring namespacing introduced in kernel version v5.3-rc1 https://github.com/torvalds/linux/commit/c84ca912b07901be528e5184fd254fca1dddf2ac

Fixes #17606

diff --git a/README b/README
index 1f3d1df2754870e051fd3c9aa74e57b71a916927..e677c2a800718d6ffd35f2872ebed8c829bdaae7 100644 (file)
--- a/README
+++ b/README
@@ -42,7 +42,7 @@ REQUIREMENTS:
                      ≥ 4.17 for cgroup-bpf socket address hooks and /sys/power/resume_offset
                      ≥ 4.20 for PSI (used by systemd-oomd)
                      ≥ 5.2 for cgroup freezer
-                     ≥ 5.3 for bounded loops in BPF program
+                     ≥ 5.3 for bounded loops in BPF program and keyring namespacing
                      ≥ 5.4 for pidfd, new mount API, and signed Verity images
 
         ⛔ Kernel versions below 5.4 ("minimum baseline") are not supported at all,

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index e85c3c72cc19a0c15fb48c2dce8e08dc5deabc50..e7d18a317eec547c0fdda7f439fe7b8ba1c7e26b 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -34,6 +34,7 @@ static int add_syscall_filters(
                 { 0,                  "@file-system"                 },
                 { 0,                  "@io-event"                    },
                 { 0,                  "@ipc"                         },
+                { 0,                  "@keyring"                     },
                 { 0,                  "@mount"                       },
                 { 0,                  "@network-io"                  },
                 { 0,                  "@process"                     },
@@ -116,7 +117,6 @@ static int add_syscall_filters(
                  * The following syscalls and groups are knowingly excluded:
                  *
                  * @cpu-emulation
-                 * @keyring           (NB: keyring is not namespaced!)
                  * @obsolete
                  * @pkey
                  * @swap