Thanks Vincent. I think I got some hints: I downloaded the package from Jammy, I unpacked it and then ran a diff on the systemd unit file for the udev service (since in the documentation of udev[1] it's written that programs are executed in a sandbox) from the version in Focal:
========== --- /lib/systemd/system/systemd-udevd.service 2022-04-21 15:54:39.000000000 +0300 +++ lib/systemd/system/systemd-udevd.service 2022-04-07 22:28:15.000000000 +0300 @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: LGPL-2.1+ +# SPDX-License-Identifier: LGPL-2.1-or-later # # This file is part of systemd. # @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=udev Kernel Device Manager +Description=Rule-based Manager for Device Events and Files Documentation=man:systemd-udevd.service(8) man:udev(7) DefaultDependencies=no After=systemd-sysusers.service systemd-hwdb-update.service @@ -16,8 +16,10 @@ ConditionPathIsReadWrite=/sys [Service] +DeviceAllow=block-* rwm +DeviceAllow=char-* rwm Type=notify -# Note that udev also adjusts the OOM score internally and will reset the value internally for its workers +# Note that udev will reset the value internally for its workers OOMScoreAdjust=-1000 Sockets=systemd-udevd-control.socket systemd-udevd-kernel.socket Restart=always @@ -27,11 +29,14 @@ KillMode=mixed TasksMax=infinity PrivateMounts=yes +ProtectClock=yes ProtectHostname=yes MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes RestrictSUIDSGID=yes +SystemCallFilter=@system-service @module @raw-io bpf +SystemCallErrorNumber=EPERM LockPersonality=yes IPAddressDeny=any WatchdogSec=3min ========== I need to double-check, but I suspect that the SystemCallFilterAddition might be causing problems. Vince, can you please make a backup copy of /lib/systemd/system/systemd- udevd.service, then remove the two SystemCallFilter and SystemCallErrorNumber lines, reboot and see if the errors are gone? If they are, then please restore the original file, and try adding "@process" to the SystemCallFilter list; then reboot and see if it helped. Or you can have a look at the possible values here [2] and try understanding which ones are necessary. Though if you don't have time, don't worry too much with this: it's something that we should be able to determine ourselves. [1]: https://www.freedesktop.org/software/systemd/man/udev.html [2]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971955 Title: systemd-udevd call unshare process when attaching nvme volume To manage notifications about this bug go to: https://bugs.launchpad.net/dellserver/+bug/1971955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
