[PATCH v4l-utils] 50-rc_keymap.conf prevents debian testing from booting

[PATCH v4l-utils] 50-rc_keymap.conf prevents debian testing from booting

[Sean Young]

If SystemCallFilter is not set for systemd-udevd, then 50-rc_keymap.conf
restricts the service to _only_ the bpf syscall, preventing the system
from booting.

Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sean Young <sean@mess.org>
---
 configure.ac               | 6 ++++++
 utils/keytable/Makefile.am | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/configure.ac b/configure.ac
index 01a24a28..8585a79d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -521,6 +521,12 @@ AM_CONDITIONAL([WITH_BPF],          [test x$enable_bpf != xno -a x$libelf_pkgcon
 AS_IF([test x$enable_libdvbv5 = xno], [AC_SUBST([ENFORCE_LIBDVBV5_STATIC], ["-static"])])
 AS_IF([test x$enable_libv4l = xno],   [AC_SUBST([ENFORCE_LIBV4L_STATIC],   ["-static"])])
 
+# Since systemd v239, udevd is not allowed to execute BPF systems calls;
+# add an override to allow bpf(2) in that case. On earlier versions, the
+# override will restrict udevd to bpf syscall only and will stop the system
+# from booting. This is also true on current debian versions.
+AM_CONDITIONAL([HAVE_UDEVDSYSCALLFILTER], [grep -s SystemCallFilter $with_systemdsystemunitdir/systemd-udevd.service])
+
 # misc
 
 if test "x$linux_os" = "xyes"; then
diff --git a/utils/keytable/Makefile.am b/utils/keytable/Makefile.am
index dfcd7609..4724897e 100644
--- a/utils/keytable/Makefile.am
+++ b/utils/keytable/Makefile.am
@@ -3,7 +3,9 @@ man_MANS = ir-keytable.1 rc_keymap.5
 sysconf_DATA = rc_maps.cfg
 keytablesystem_DATA = $(srcdir)/rc_keymaps/*
 udevrules_DATA = 70-infrared.rules
+if HAVE_UDEVDSYSCALLFILTER
 systemdsystemunit_DATA = 50-rc_keymap.conf
+endif
 
 ir_keytable_SOURCES = keytable.c parse.h ir-encode.c ir-encode.h toml.c toml.h keymap.c keymap.h
 
-- 
2.23.0

Re: [PATCH v4l-utils] 50-rc_keymap.conf prevents debian testing from booting

[Hans Verkuil]

On 10/28/19 3:56 PM, Sean Young wrote:
> If SystemCallFilter is not set for systemd-udevd, then 50-rc_keymap.conf
> restricts the service to _only_ the bpf syscall, preventing the system
> from booting.
> 
> Reported-by: Hans Verkuil <hverkuil@xs4all.nl>

Tested-by: Hans Verkuil <hverkuil@xs4all.nl>

Thanks! I think this should be merged quickly since it is not nice when
v4l-utils suddenly prevents your system from booting the next time.

Especially when you discover this two hours before you have to leave
for the airport to travel to the ELCE conference where you are
speaker the next day...

Just saying :-)

Regards,

	Hans

> Signed-off-by: Sean Young <sean@mess.org>
> ---
>   configure.ac               | 6 ++++++
>   utils/keytable/Makefile.am | 2 ++
>   2 files changed, 8 insertions(+)
> 
> diff --git a/configure.ac b/configure.ac
> index 01a24a28..8585a79d 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -521,6 +521,12 @@ AM_CONDITIONAL([WITH_BPF],          [test x$enable_bpf != xno -a x$libelf_pkgcon
>   AS_IF([test x$enable_libdvbv5 = xno], [AC_SUBST([ENFORCE_LIBDVBV5_STATIC], ["-static"])])
>   AS_IF([test x$enable_libv4l = xno],   [AC_SUBST([ENFORCE_LIBV4L_STATIC],   ["-static"])])
>   
> +# Since systemd v239, udevd is not allowed to execute BPF systems calls;
> +# add an override to allow bpf(2) in that case. On earlier versions, the
> +# override will restrict udevd to bpf syscall only and will stop the system
> +# from booting. This is also true on current debian versions.
> +AM_CONDITIONAL([HAVE_UDEVDSYSCALLFILTER], [grep -s SystemCallFilter $with_systemdsystemunitdir/systemd-udevd.service])
> +
>   # misc
>   
>   if test "x$linux_os" = "xyes"; then
> diff --git a/utils/keytable/Makefile.am b/utils/keytable/Makefile.am
> index dfcd7609..4724897e 100644
> --- a/utils/keytable/Makefile.am
> +++ b/utils/keytable/Makefile.am
> @@ -3,7 +3,9 @@ man_MANS = ir-keytable.1 rc_keymap.5
>   sysconf_DATA = rc_maps.cfg
>   keytablesystem_DATA = $(srcdir)/rc_keymaps/*
>   udevrules_DATA = 70-infrared.rules
> +if HAVE_UDEVDSYSCALLFILTER
>   systemdsystemunit_DATA = 50-rc_keymap.conf
> +endif
>   
>   ir_keytable_SOURCES = keytable.c parse.h ir-encode.c ir-encode.h toml.c toml.h keymap.c keymap.h
>   
> 

Re: [PATCH v4l-utils] 50-rc_keymap.conf prevents debian testing from booting

[Sean Young]

On Mon, Oct 28, 2019 at 05:21:02PM +0100, Hans Verkuil wrote:
> On 10/28/19 3:56 PM, Sean Young wrote:
> > If SystemCallFilter is not set for systemd-udevd, then 50-rc_keymap.conf
> > restricts the service to _only_ the bpf syscall, preventing the system
> > from booting.
> > 
> > Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
> 
> Tested-by: Hans Verkuil <hverkuil@xs4all.nl>
> 
> Thanks! I think this should be merged quickly since it is not nice when
> v4l-utils suddenly prevents your system from booting the next time.
> 
> Especially when you discover this two hours before you have to leave
> for the airport to travel to the ELCE conference where you are
> speaker the next day...

Yes, it's been pushed. Sorry about this. I am a little concerned that
loading bpf rc keymaps from udevd is not the best idea. Possibly this should
be done via polkit. These changes seem a little fragile and as this shows,
if it goes wrong then you end up with a system that doesn't boot...

Thanks for your report/test, making a quick turnaround for a fix possible.


Sean