sys-apps/systemd: allow @mount syscalls for systemd-udevd.service

In Flatcar we are using modprobe helpers that run depmod in temporary
overlay. systemd-udevd.service may try to load drivers for some block
devices (e.g. ZFS), which ends up calling our helpers, which invoke
mount command. The mount syscalls are forbidden by the default
systemd-udevd syscall filter.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>

changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md

@@ -0,0 +1 @@
+- Fixed the loading of kernel modules from system extensions via udev (e.g. at boot time).

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd

@@ -11,3 +11,16 @@ After=ensure-sysext.service
 EOF
   popd
 }
+
+cros_post_src_install_udev() {
+  insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
+  newins - flatcar.conf <<EOF
+# In Flatcar we are using modprobe helpers that run depmod in temporary
+# overlay. systemd-udevd.service may try to load drivers for some block devices
+# (e.g. ZFS), which ends up calling our helpers, which invoke mount command.
+# The mount syscalls are forbidden by the default systemd-udevd syscall filter.
+
+[Service]
+SystemCallFilter=@mount
+EOF
+}