nspawn: add @keyring to default syscall allow_list

Keyring namespacing introduced in kernel version v5.3-rc1 c84ca912b0 Fixes #17606
2025-03-28 02:50:16 +03:00 · 2025-02-10 18:38:11 -06:00 · 2025-02-10 18:38:11 -06:00 · 6cbd126b0b
commit 6cbd126b0b
parent c0cc24ba42
2 changed files with 2 additions and 2 deletions
--- a/2
+++ b/2
@ -42,7 +42,7 @@ REQUIREMENTS:
                     ≥ 4.17 for cgroup-bpf socket address hooks and /sys/power/resume_offset
                     ≥ 4.20 for PSI (used by systemd-oomd)
                     ≥ 5.2 for cgroup freezer
-                     ≥ 5.3 for bounded loops in BPF program
+                     ≥ 5.3 for bounded loops in BPF program and keyring namespacing
                     ≥ 5.4 for pidfd, new mount API, and signed Verity images

        ⛔ Kernel versions below 5.4 ("minimum baseline") are not supported at all,
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@ -34,6 +34,7 @@ static int add_syscall_filters(
                { 0,                  "@file-system"                 },
                { 0,                  "@io-event"                    },
                { 0,                  "@ipc"                         },
+                { 0,                  "@keyring"                     },
                { 0,                  "@mount"                       },
                { 0,                  "@network-io"                  },
                { 0,                  "@process"                     },
@ -116,7 +117,6 @@ static int add_syscall_filters(
                 * The following syscalls and groups are knowingly excluded:
                 *
                 * @cpu-emulation
-                 * @keyring           (NB: keyring is not namespaced!)
                 * @obsolete
                 * @pkey
                 * @swap