From 55b013833b1bc75c09dcb8b1c546ec214b2a12ac Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 15 May 2026 20:14:26 +0200 Subject: [PATCH] deploy/hardening: allow x86 syscalls on web drop-in (steamcmd is 32-bit) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The web service handles install jobs by fork-exec'ing steamcmd_linux, a 32-bit binary. With SystemCallArchitectures=native (x86_64 only) the kernel SIGSYS-kills it on its first i386 syscall — surfaced as bash exit 159 (= 128 + SIGSYS) in job logs. Mirror the server drop-in's `native x86` so the install path works again; the server unit already needed the same allowance for srcds_linux. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../systemd/system/left4me-web.service.d/10-hardening.conf | 7 ++++++- deploy/tests/test_example_units.py | 4 +++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf b/deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf index 92d00ab..11fec7a 100644 --- a/deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf +++ b/deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf @@ -28,7 +28,12 @@ ProtectClock=true ProtectControlGroups=true ProtectHostname=true LockPersonality=true -SystemCallArchitectures=native +# `native x86` (not just `native`) — the install job fork-execs +# steamcmd_linux, a 32-bit binary, which makes i386-numbered syscalls. +# Under `native` alone the kernel SIGSYS-kills it (bash exit 159 = +# 128+SIGSYS). Mirrors the server unit, which needs the same allowance +# for srcds_linux. See deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf. +SystemCallArchitectures=native x86 SystemCallFilter=@system-service SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX diff --git a/deploy/tests/test_example_units.py b/deploy/tests/test_example_units.py index 7850856..dac8b31 100644 --- a/deploy/tests/test_example_units.py +++ b/deploy/tests/test_example_units.py @@ -261,7 +261,9 @@ def test_web_hardening_dropin_present_with_directives(): ): assert d in text, f"missing {d!r} in web hardening drop-in" # WEB-specific - assert "SystemCallArchitectures=native" in text + # `native x86` (not `native`) because the install job fork-execs + # steamcmd_linux (32-bit). Plain `native` produces SIGSYS (bash exit 159). + assert "SystemCallArchitectures=native x86" in text assert "SystemCallFilter=@system-service" in text assert "SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete" in text # WEB must NOT include the sudo-incompatible directives.