From 6cbd126b0b9b69757c44dec021be8d95edddb0bf Mon Sep 17 00:00:00 2001 From: Anthony Messina Date: Mon, 10 Feb 2025 18:38:11 -0600 Subject: [PATCH] nspawn: add @keyring to default syscall allow_list Keyring namespacing introduced in kernel version v5.3-rc1 https://github.com/torvalds/linux/commit/c84ca912b07901be528e5184fd254fca1dddf2ac Fixes #17606 --- README | 2 +- src/nspawn/nspawn-seccomp.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README b/README index 1f3d1df275..e677c2a800 100644 --- a/README +++ b/README @@ -42,7 +42,7 @@ REQUIREMENTS: ≥ 4.17 for cgroup-bpf socket address hooks and /sys/power/resume_offset ≥ 4.20 for PSI (used by systemd-oomd) ≥ 5.2 for cgroup freezer - ≥ 5.3 for bounded loops in BPF program + ≥ 5.3 for bounded loops in BPF program and keyring namespacing ≥ 5.4 for pidfd, new mount API, and signed Verity images ⛔ Kernel versions below 5.4 ("minimum baseline") are not supported at all, diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index e85c3c72cc..e7d18a317e 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -34,6 +34,7 @@ static int add_syscall_filters( { 0, "@file-system" }, { 0, "@io-event" }, { 0, "@ipc" }, + { 0, "@keyring" }, { 0, "@mount" }, { 0, "@network-io" }, { 0, "@process" }, @@ -116,7 +117,6 @@ static int add_syscall_filters( * The following syscalls and groups are knowingly excluded: * * @cpu-emulation - * @keyring (NB: keyring is not namespaced!) * @obsolete * @pkey * @swap