Bug#855798: udev: MemoryDenyWriteExecute=yes should not be applied to udev plugins
Mike Manning
mmanning at brocade.com
Tue Feb 21 16:26:30 GMT 2017
Package: udev
Version: 232-15
Severity: important
Some executables outside of systemd are no longer run as plugins after an upgrade from Debian 8 to Debian 9 RC2, even though they should be called according to the RUN+= action in rules. So this distro-upgrade is breaking backwards compatibility.
This is complicated by the fact that the error shown in the journal is obscure (even with systemd debugging enabled), e.g:
systemd-udevd[1510]: Process 'ifmgrctl' failed with exit code 127.
This is even though this same example executable 'ifmgrctl' runs just fine in Debian 8 (udev 215).
It turns out that the problem is due to MemoryDenyWriteExecute=yes being set in systemd-udevd.service, with the underlying as yet unresolved issue being due to the way this 'ifmgrctl' executable was created by Go and most likely causing a segment mapping issue, see https://github.com/systemd/systemd/issues/5400 for more details.
The relevant upstream fixes are f3e43635932c ("core: Restrict mmap and mprotect with PAGE_WRITE|PAGE_EXEC (#3319) (#3379)"), 40652ca4791f ("units: enable MemoryDenyWriteExecute (#3459)"), but with the actual impacting fix here only being committed at a later stage, 0c28d51ac849 ("units: further lock down our long-running services").
While it would be useful to have a warning message to detect infraction of the W^X check, and while it is easy enough to override MemoryDenyWriteExecute once the problem has been root-caused, for reasons of backwards compatibility, systemd-udevd.service should not inhibit executable plugins outside of systemd.
The requested fix is to set MemoryDenyWriteExecute=no (or to simply remove or comment out MemoryDenyWriteExecute=yes, as by default it is disabled) in the default unit file systemd-udevd.service used:
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 46d6378..108730e 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -25,6 +25,6 @@ KillMode=mixed
WatchdogSec=3min
TasksMax=infinity
MountFlags=slave
-MemoryDenyWriteExecute=yes
+MemoryDenyWriteExecute=no
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
More information about the Pkg-systemd-maintainers
mailing list