From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 5 Nov 2025 15:03:16 +0000 (+0900)
Subject: test-network: disable several more sandbox features when running with sanitizers
X-Git-Tag: v259-rc1~158^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F39572%2Fhead;p=thirdparty%2Fsystemd.git

test-network: disable several more sandbox features when running with sanitizers

These settings also imply seccomp.
Hopefully fixes #39567.
---

diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index 6802646728c..93ad5635002 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -487,7 +487,19 @@ def create_service_dropin(service, command, additional_settings=None):
     if ubsan_options:
         drop_in += [f'Environment=UBSAN_OPTIONS="{ubsan_options}"']
     if asan_options or lsan_options or ubsan_options:
-        drop_in += ['SystemCallFilter=']
+        # Disable system call filter when running with sanitizers, as they seem to call filtered syscall at
+        # the very end of the execution and stuck the process. See issue #39567.
+        drop_in += [
+            'LockPersonality=no',
+            'ProtectClock=no',
+            'ProtectKernelLogs=no',
+            'RestrictAddressFamilies=',
+            'RestrictNamespaces=no',
+            'RestrictRealtime=no',
+            'RestrictSUIDSGID=no',
+            'SystemCallArchitectures=',
+            'SystemCallFilter=',
+        ]
     if use_valgrind or asan_options or lsan_options or ubsan_options:
         drop_in += ['MemoryDenyWriteExecute=no']
     if use_valgrind: