According to our investigation, I found that the issue is caused by the
"mount" system call can not be allowed to execute.
And after checking the upstream commit, the issue is introduced by the
following patch,
commit ee8f26180d01e3ddd4e5f20b03b81e5e737657ae
Author: Lennart Poettering <lenn...@poettering.net>
Date: Thu Apr 19 11:04:17 2018 +0200
units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.
This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.
Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
Before the patch,systemd-udevd.service has not set
“SystemCallFilter=”,but after the patch,the “SystemCallFilter=@system-
service @module @raw-io” was added
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 2b9fa69d9b..6a3814e5d9 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -29,6 +29,8 @@ PrivateMounts=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallFilter=@system-service @module @raw-io
+SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
IPAddressDeny=any
Because there is no "SystemCallFilter=@system-service @module @raw-io" in the
/usr/lib/systemd/system/systemd-udevd.service on UBuntu20.04, we can not
experience the same issue, but can reproduce the issue on UBuntu22.04.
If we add "@mount" to "SystemCallFilter=" on UBuntu22.04, the issue can be
fixed.
Thanks,
Regards,
Jiwei
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1966203
Title:
Syslog shows "systemd-udevd[2837]: nvme0n1: Process ... failed with
exit code 1." in Ubuntu 22.04
Status in systemd package in Ubuntu:
New
Bug description:
Configuration:
OS:jammy-live-server20220320-amd64.iso
CPU:AMD EPYC 7702 64-Core Processor
UEFI Version:D8E119A
BMC Version:D8BT19I
SSD:Intel 1.60TB NVMe SSD
Boot mode:legacy
Reproduce Steps:
1.Boot into BIOS and set boot mode to legacy
2.install ubuntu 22.04 on NVMe SSD
3.Check syslog log
Current behaviors:
syslog shows systemd-udevd errors in Ubuntu 22.04
Feb 9 10:16:19 len systemd-udevd[2837]: nvme0n1: Process '/usr/bin/unshare
-m /usr/bin/snap auto-import --mount=/dev/nvme0n1' failed with exit code 1.
Feb 9 10:16:19 len systemd-udevd[2877]: nvme0n1p3: Process '/usr/bin/unshare
-m /usr/bin/snap auto-import --mount=/dev/nvme0n1p3' failed with exit code 1.
Feb 9 10:16:19 len systemd-udevd[2876]: nvme0n1p2: Process '/usr/bin/unshare
-m /usr/bin/snap auto-import --mount=/dev/nvme0n1p2' failed with exit code 1.
Feb 9 10:16:19 len systemd-udevd[2837]: nvme0n1p1: Process '/usr/bin/unshare
-m /usr/bin/snap auto-import --mount=/dev/nvme0n1p1' failed with exit code 1.
Feb 9 10:16:19 len systemd-udevd[2828]: sr0: Process '/usr/bin/unshare -m
/usr/bin/snap auto-import --mount=/dev/sr0' failed with exit code 1.
Feb 9 10:16:19 len systemd-udevd[2850]: dm-0: Process '/usr/bin/unshare -m
/usr/bin/snap auto-import --mount=/dev/dm-0' failed with exit code 1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1966203/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
