Syscall filter on systemd prevents repo creation

[b4nst]

Describe the bug
Repo create hangs indefinitely

To Reproduce
Steps to reproduce the behavior:

1. ssh -p 23231 -i ~/.ssh/id_ed25519 mydomain.com repo create foo

Expected behavior
Repo created.

Environment (please complete the following information):

• OS: Linux
• Terminal any
• Version soft version v0.8.2 (22d00e9)

Additional context
An entry (foo.git) is created under data/repos. However this entry is empty.

[b4nst]

I feel like this is coming from the systemd configuration. I'm able to create a repo, using the same config but with root user on another path, started manually. Since soft-serve is not yielding any useful logs (I checked with journalctl) it's hard to say what's going wrong.

Here is the config, untouched from yum package install:

[Unit]
Description=Soft Serve git server 🍦
Documentation=https://github.com/charmbracelet/soft-serve
Requires=network-online.target
After=network-online.target

[Service]
Type=simple
User=soft-serve
Group=soft-serve
Restart=always
RestartSec=1
ExecStart=/usr/bin/soft serve
Environment=SOFT_SERVE_DATA_PATH=/var/lib/soft-serve
EnvironmentFile=-/etc/soft-serve.conf
WorkingDirectory=/var/lib/soft-serve

# Hardening
ReadWritePaths=/var/lib/soft-serve
UMask=0027
NoNewPrivileges=true
LimitNOFILE=1048576
ProtectSystem=strict
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

[b4nst]

Ok I do confirm by commenting out the Hardening part, I'm able to create a repo. I'll try to dichotomy my way in finding which settings causes the issue.

[b4nst]

Ok found it, it's coming from the combination of an allow list and deny list on syscall filters:

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

From what I understand from the doc, it seems when we set both, the first match is the one deciding

Allow-listing
By default the list contains the entries of allowed system call names. Unspecified syscalls will be denied and result in its process execution being stopped immediately.

Deny-listing
Another approach is to reverse this action by using a ~ as its first character. The principle of deny-listing will then be used. A match then will stop the execution of the process.

Combination
When both (allow-listing and deny-listing) are used, the first match will take precedence and define the default action to take.

To me this just translates to "your second line is useless".

I also confirmed that by swapping the two lines.

Shall we just leave the deny list or do we want to extract a exhaustive list of required syscall?