From: Michael Biebl <biebl@debian.org>
Date: Wed, 18 Jul 2018 21:49:16 +0000 (+0200)
Subject: Drop seccomp system call filter for udev
X-Git-Tag: archive/raspbian/246.1-1+rpi1~1^2^2~4
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=415ca1eb422b9c207b5ed2bc42087a0a8b64ca04;p=systemd.git

Drop seccomp system call filter for udev

The seccomp based system call whitelist requires at least systemd 239 to
be the active init and during a dist-upgrade we can't guarantee that
systemd has been fully configured before udev is restarted.

This partially reverts upstream commit
ee8f26180d01e3ddd4e5f20b03b81e5e737657ae.

Once buster is released, this patch can be dropped.

Closes: #903224

Gbp-Pq: Topic debian
Gbp-Pq: Name Drop-seccomp-system-call-filter-for-udev.patch
---

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 5eee6993..33b1d892 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -32,8 +32,6 @@ MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
-SystemCallFilter=@system-service @module @raw-io
-SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any