Description of problem: Snapd uses a helper program /usr/libexec/snapd/snap-device-helper to update device access rules for a running snap application. This is done by updating entries in a bpf map under /sys/fs/bpf/snap/<snap-cookie>. Snapd sets up udev rules to invoke the helper whenever a matching device is added/changed. However, since systemd-udevd syscall filtering is limited to @system-service @module @raw-io, bpf() gets blocked with EPERM like so: 3309 bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/snap/snap_ghostscript-printer-app_ghostscript-printer-app-server", bpf_fd=0, file_flags=0}, 128 <unfinished ...> ... 3309 <... bpf resumed>) = -1 EPERM (Operation not permitted) The program was also seen on Fedora 35 where fixes for #2025264 were pushed to testing but the problem was still not resolved Version-Release number of selected component (if applicable): systemd-249.7-2.fc35.x86_64 systemd-libs-249.7-2.fc35.x86_64 systemd-networkd-249.7-2.fc35.x86_64 systemd-oomd-defaults-249.7-2.fc35.noarch systemd-pam-249.7-2.fc35.x86_64 systemd-resolved-249.7-2.fc35.x86_64 systemd-udev-249.7-2.fc35.x86_64 How reproducible: always Actual results: bpf() getting blocke
Proposed an upstream fix: https://github.com/systemd/systemd/pull/21576
FEDORA-2022-f38f479b8f has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f38f479b8f
FEDORA-2022-f38f479b8f has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-f38f479b8f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-f38f479b8f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-f38f479b8f has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.