From 0ddd608a6ddcd095d378510c7096ee979741046d Mon Sep 17 00:00:00 2001 From: Maciek Borzecki Date: Tue, 30 Nov 2021 11:07:30 +0100 Subject: [PATCH] units/systemd-udevd: allow bpf() syscall Programs run by udev triggers may need to execute the bpf() syscall. Even more so, since on a cgroup v2 system, the only way to set up device access filtering is to install a BPF program on the cgroup in question and one way of passing data to such program is through BPF maps, which can only be access using the bpf() syscall. One such use case was identified in RHBZ#2025264 related to snap-device-helper, and led to RHBZ#2027627 being filed. Unfortunately there is no finer grained control over what gets passed in the syscall, so just enable bpf() and leave fine grained mediation to other security layers (eg. SELinux). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2027627 Signed-off-by: Maciek Borzecki --- units/systemd-udevd.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index c146b0f7f85..d042bfb0d3b 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -35,7 +35,7 @@ MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes RestrictSUIDSGID=yes -SystemCallFilter=@system-service @module @raw-io +SystemCallFilter=@system-service @module @raw-io bpf SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes -- 2.47.3