Skip to content

sys-apps/systemd: allow @mount syscalls for systemd-udevd.service #3367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

sys-apps/systemd: allow @mount syscalls for systemd-udevd.service #3367

wants to merge 1 commit into from

Conversation

@danzatt
Copy link
Contributor

@danzatt danzatt commented Oct 13, 2025

In Flatcar we are using modprobe helpers that run depmod in temporary overlay. systemd-udevd.service may try to load drivers for some block devices (e.g. ZFS), which ends up calling our helpers, which invoke mount command. The mount syscalls are forbidden by the default systemd-udevd syscall filter.

@danzatt danzatt requested a review from a team as a code owner October 13, 2025 07:18
@danzatt danzatt mentioned this pull request Oct 13, 2025
Open
@pothos
Copy link
Member

pothos commented Oct 13, 2025

Instead of patching the source, can we ship a unit drop in?

@github-actions
Copy link

github-actions bot commented Oct 13, 2025
edited
Loading

Build action triggered: https://github.com/flatcar/scripts/actions/runs/18651858463

@chewi
Copy link
Contributor

chewi commented Oct 13, 2025

Instead of patching the source, can we ship a unit drop in?

Indeed, that is what I was expecting. The SystemCallFilter setting is cumulative.

@pothos
Copy link
Member

pothos commented Oct 13, 2025

One can argue where this would go, e.g., we have some drop-ins in https://github.com/flatcar/init/tree/flatcar-master/systemd/system

@danzatt
Copy link
Contributor Author

danzatt commented Oct 16, 2025

I was discussing with @t-lo, and he suggested it would be better to ship it directly in a systemd package instead of baselayout. But yeah, it might be easier to ship it in init/baselayout so that we don't have to maintain yet another patch.

@pothos
Copy link
Member

pothos commented Oct 20, 2025

The package is also a good place: the drop-in file can be brought in through the ebuild installing it instead of a source patch

@chewi
Copy link
Contributor

chewi commented Oct 20, 2025

Our systemd package is currently forked from Gentoo, but ideally we would unfork it at some point. You could add the drop-in using a post_src_install function. We already do exactly this for timesyncd in sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd.

@danzatt danzatt force-pushed the danzatt/fix-modprobe-via-udevd branch from fa21dea to 6b04d15 Compare October 20, 2025 15:05
@danzatt
sys-apps/systemd: allow @mount syscalls for systemd-udevd.service
a96a073 
In Flatcar we are using modprobe helpers that run depmod in temporary
overlay. systemd-udevd.service may try to load drivers for some block
devices (e.g. ZFS), which ends up calling our helpers, which invoke
mount command. The mount syscalls are forbidden by the default
systemd-udevd syscall filter.
@danzatt danzatt force-pushed the danzatt/fix-modprobe-via-udevd branch from 6b04d15 to a96a073 Compare October 21, 2025 14:29
@github-actions github-actions bot mentioned this pull request Oct 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danzatt @pothos @chewi