From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 4 Jul 2025 08:16:56 +0000 (+0200)
Subject: seccomp-util: allowlist open_tree() as part of @file-system
X-Git-Tag: v258-rc1~171
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aac21825cd45ee998695504b7b8b881bac2a44c2;p=thirdparty%2Fsystemd.git

seccomp-util: allowlist open_tree() as part of @file-system

Now that we make use of open_tree() in places we previously used
openat() with O_PATH, it makes sense to move it from @mount to
@file-system. Without the OPEN_TREE_CLONE flag open_tree() is after all
unprivileged.

Note that open_tree_attr() I left in @mount, since it's purpose is
really to set mount options when cloning, and that's clearly a mount
related thing, not so much something you could use unpriv.

Follow-up for: c5de7b14ae2e08d267d8d75bc88934ac6aa7dcd6

This addresses an issue tracked down by Antonio Feijoo: since the commit
that started to use open_tree() various apps started to crash because
they used seccomp filters and sd-device started to use open_tree()
internally.
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index db3bf678521..3c61f823718 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -526,6 +526,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "oldlstat\0"
                 "oldstat\0"
                 "open\0"
+                "open_tree\0"
                 "openat\0"
                 "openat2\0"
                 "readlink\0"
@@ -648,7 +649,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "mount\0"
                 "mount_setattr\0"
                 "move_mount\0"
-                "open_tree\0"
                 "open_tree_attr\0"
                 "pivot_root\0"
                 "umount\0"