Drop seccomp system call filter for udev

The seccomp based system call whitelist requires at least systemd 239 to
be the active init and during a dist-upgrade we can't guarantee that
systemd has been fully configured before udev is restarted.

This partially reverts upstream commit
ee8f26180d01e3ddd4e5f20b03b81e5e737657ae.

Once buster is released, this patch can be dropped.

Closes: #903224
Gbp-Pq: Topic debian
Gbp-Pq: Name Drop-seccomp-system-call-filter-for-udev.patch

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 8b1dd0efc73fa91877f167dd910fd29f67dd8c8e..934f9fb28f637ee54d36d73c50b62dad5c4f9be9 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -32,8 +32,6 @@ MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
-SystemCallFilter=@system-service @module @raw-io
-SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any