From: Anthony Messina Date: Tue, 11 Feb 2025 00:38:11 +0000 (-0600) Subject: nspawn: add @keyring to default syscall allow_list X-Git-Tag: v258-rc1~1359 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cbd126b0b9b69757c44dec021be8d95edddb0bf;p=thirdparty%2Fsystemd.git nspawn: add @keyring to default syscall allow_list Keyring namespacing introduced in kernel version v5.3-rc1 https://github.com/torvalds/linux/commit/c84ca912b07901be528e5184fd254fca1dddf2ac Fixes #17606 --- diff --git a/README b/README index 1f3d1df2754..e677c2a8007 100644 --- a/README +++ b/README @@ -42,7 +42,7 @@ REQUIREMENTS: ≥ 4.17 for cgroup-bpf socket address hooks and /sys/power/resume_offset ≥ 4.20 for PSI (used by systemd-oomd) ≥ 5.2 for cgroup freezer - ≥ 5.3 for bounded loops in BPF program + ≥ 5.3 for bounded loops in BPF program and keyring namespacing ≥ 5.4 for pidfd, new mount API, and signed Verity images ⛔ Kernel versions below 5.4 ("minimum baseline") are not supported at all, diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index e85c3c72cc1..e7d18a317ee 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -34,6 +34,7 @@ static int add_syscall_filters( { 0, "@file-system" }, { 0, "@io-event" }, { 0, "@ipc" }, + { 0, "@keyring" }, { 0, "@mount" }, { 0, "@network-io" }, { 0, "@process" }, @@ -116,7 +117,6 @@ static int add_syscall_filters( * The following syscalls and groups are knowingly excluded: * * @cpu-emulation - * @keyring (NB: keyring is not namespaced!) * @obsolete * @pkey * @swap