From 17d292252ab2ee2146e9eabdf04c7da029da2b1f Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Thu, 9 Oct 2025 16:09:29 +0200
Subject: [PATCH] sys-apps/systemd: allow @mount syscalls for
 systemd-udevd.service

In Flatcar we are using modprobe helpers that run depmod in temporary
overlay. systemd-udevd.service may try to load drivers for some block
devices (e.g. ZFS), which ends up calling our helpers, which invoke
mount command. The mount syscalls are forbidden by the default
systemd-udevd syscall filter.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../bugfixes/2025-11-05-fix-modprobe-via-udevd.md   |  1 +
 .../coreos/config/env/sys-apps/systemd              | 13 +++++++++++++
 ...temd-256.9-r1.ebuild => systemd-256.9-r2.ebuild} |  0
 ...systemd-257.7.ebuild => systemd-257.7-r1.ebuild} |  0
 4 files changed, 14 insertions(+)
 create mode 100644 changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md
 rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-256.9-r1.ebuild => systemd-256.9-r2.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-257.7.ebuild => systemd-257.7-r1.ebuild} (100%)

diff --git a/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md b/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md
new file mode 100644
index 0000000000..da0e38ffc6
--- /dev/null
+++ b/changelog/bugfixes/2025-11-05-fix-modprobe-via-udevd.md
@@ -0,0 +1 @@
+- Fixed the loading of kernel modules from system extensions via udev (e.g. at boot time).
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
index 3806da9f57..f5f1ad0bbb 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
@@ -11,3 +11,16 @@ After=ensure-sysext.service
 EOF
   popd
 }
+
+cros_post_src_install_udev() {
+  insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
+  newins - flatcar.conf <<EOF
+# In Flatcar we are using modprobe helpers that run depmod in temporary
+# overlay. systemd-udevd.service may try to load drivers for some block devices
+# (e.g. ZFS), which ends up calling our helpers, which invoke mount command.
+# The mount syscalls are forbidden by the default systemd-udevd syscall filter.
+
+[Service]
+SystemCallFilter=@mount
+EOF
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild