According to our investigation, I found that the issue is caused by the
"mount" system call can not be allowed to execute.
And after checking the upstream commit, the issue is introduced by the
following patch,
commit ee8f26180d01e3ddd4e5f20b03b81e5e737657ae
Author: Lennart Poettering
Date: Thu Apr 19 11:04:17 2018 +0200
units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.
This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.
Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
Before the patch,systemd-udevd.service has not set
“SystemCallFilter=”,but after the patch,the “SystemCallFilter=@system-
service @module @raw-io” was added
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 2b9fa69d9b..6a3814e5d9 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -29,6 +29,8 @@ PrivateMounts=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallFilter=@system-service @module @raw-io
+SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
IPAddressDeny=any
Because there is no "SystemCallFilter=@system-service @module @raw-io" in the
/usr/lib/systemd/system/systemd-udevd.service on UBuntu20.04, we can not
experience the same issue, but can reproduce the issue on UBuntu22.04.
If we add "@mount" to "SystemCallFilter=" on UBuntu22.04, the issue can be
fixed.
Thanks,
Regards,
Jiwei
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1966203
Title:
Syslog shows "systemd-udevd[2837]: nvme0n1: Process ... failed with
exit code 1." in Ubuntu 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1966203/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
