units: machined needs mount-related syscalls for its namespacing operations

Specifically "machinectl shell" (or its OpenShell() bus call) is implemented by entering the file system namespace of the container and opening a TTY there. In order to enter the file system namespace, chroot() is required, which is filtered by SystemCallFilter='s @mount group. Hence, let's make this work again and drop @mount from the filter list.
2025-02-01 05:47:04 +03:00 · 2016-06-21 21:32:17 +02:00 · 2016-06-21 21:32:17 +02:00 · 5b566d2475
commit 5b566d2475
parent 768c1decf9
1 changed files with 1 additions and 1 deletions
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@ -18,7 +18,7 @@ BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io

 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the