[systemd-devel] syscvall-filters killing CGI after update to Fedora 33

Lennart Poettering lennart at poettering.net
Thu Apr 22 07:50:15 UTC 2021


On Mo, 19.04.21 18:24, Reindl Harald (h.reindl at thelounge.net) wrote:

> after a long time using this SystemCallFilter perl-cgi with Fedora 33 get
> killed - anyone an idea what changed that's obviously covered by the second
> line
>
> SystemCallFilter=@system-service @network-io @privileged
> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount
> @obsolete @raw-io @reboot @resources @swap

@resources is included in @system-service for a reason: it's syscalls
are typically used by programs. Regular system service use it, and
that's totally OK and expected.

i.e. the basically explicitly created a configuration that can't
work. My recommendation: just drop the second line altogether. Your
first line implements an allowlist already, hence besides the
@resources thing the second line is entirely redundant, and the
@resources stuff you really don't want.

> either the blacklist of the new systemd version convers more than before or
> something changed in the perl stack

Yeah, programs change the APIs they use. System call filters needs to
be put together with an undrstanding what the programs do, and hence
are besten already put togther upstream or by the distro. If you do it
downstream you might run into issues like this.

The idea of @system-service is that it mostly tries to isolate you
from this, but in your case you overrode what it does, so it fell apart.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list