sys-apps/systemd: allow @mount syscalls for systemd-udevd.service

In Flatcar we are using modprobe helpers that run depmod in temporary overlay. systemd-udevd.service may try to load drivers for some block devices (e.g. ZFS), which ends up calling our helpers, which invoke mount command. The mount syscalls are forbidden by the default systemd-udevd syscall filter. Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
2025-11-07 03:32:12 +01:00 · 2025-10-09 16:09:29 +02:00 · 2025-10-09 16:09:29 +02:00 · 8e94ac029b
commit 8e94ac029b
parent 125a96c6e2
3 changed files with 13 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
@ -11,3 +11,16 @@ After=ensure-sysext.service
 EOF
  popd
 }
+
+cros_post_src_install_udev() {
+  insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
+  newins - flatcar.conf <<EOF
+# In Flatcar we are using modprobe helpers that run depmod in temporary
+# overlay. systemd-udevd.service may try to load drivers for some block devices
+# (e.g. ZFS), which ends up calling our helpers, which invoke mount command.
+# The mount syscalls are forbidden by the default systemd-udevd syscall filter.
+
+[Service]
+SystemCallFilter=@mount
+EOF
+}
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r2.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild