[systemd-devel] udev script can't resolve host name
Jonathan Kamens
jik at kamens.us
Wed Aug 15 14:36:59 UTC 2018
Thanks for the pointer. It turns out that Ubuntu puts IPAddressDeny=all
in systemd-udevd.service. I suppose I could remove that (reducing
protection, as you note) or add an IPAddressAllow setting to allow
access to the DNS server and remote URL I want to hit, but then I have
to worry about keeping that in sync with the IP address associated with
the host name in the URL. I think it's probably just easier to do this
with a timer that runs a polling script every five seconds, rather than
using udev.
jik
On 8/15/18 7:13 AM, Sietse van Zanen wrote:
> Jonathan,
>
>
> Yes that is exactly the case. Look inside he unit filre, systemd-udevd.service. It contains lines like:
>
> PrivateMounts=yes
> MemoryDenyWriteExecute=yes
> RestrictRealtime=yes
> RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> SystemCallFilter=@system-service @module @raw-io
> SystemCallErrorNumber=EPERM
> SystemCallArchitectures=native
> LockPersonality=yes
>
> I think the SystemCallFilter is your culplrit here. Removing it will probably make your script work, but it may also remove important protection.
>
>
> -Sietse
>
>
> ________________________________
> From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org> on behalf of Jonathan Kamens <jik at kamens.us>
> Sent: Wednesday, August 15, 2018 10:31
> To: systemd-devel at lists.freedesktop.org
> Subject: [systemd-devel] udev script can't resolve host name
>
>
> Hi,
>
> If I understand correctly, this mailing list can be used for questions about udev as well as about systemd. If that's not correct, somebody please let me know and I will go elsewhere (and if you know where that "elsewhere" should be, please let me know, that would be helpful!); I don't mean to use the list incorrectly.
>
> I want to call a webhook inside a script run via a RUN directive in a udev rule.
>
> When I try to do this, curl says it's unable to resolve the host name of the URL I am asking it to fetch.
>
> To collect more data about the cause of this issue, I also tried doing a "ping -c 1 8.8.8.8" inside the script, and it gets, "sendmsg: Operation not permitted."
>
> I assume this means udev scripts are running inside some sort of restricted environment or something, but I can't figure out what controls the restrictions on that environment, whether I can loosen them, or how.
>
> I'm on Ubuntu 18.04.
>
> Any advice?
>
> Thank you,
>
> Jonathan Kamens
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180815/1a40d5fa/attachment.html>
More information about the systemd-devel
mailing list