Bug#1079567: systemd: Should not raise errors when not (all) BPF features are available
Diederik de Haas
didi.debian at cknow.org
Sat Aug 24 17:23:00 BST 2024
Package: systemd
Version: 256.5-1
Severity: normal
X-Debbugs-Cc: debian-kernel at lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I build a custom (arm64) kernel based on Debian's config and in that I
disabled debug info, which in turn disabled ``CONFIG_DEBUG_INFO_BTF``.
Build was successful and I tried it out on my Rock64 and what I always
do when testing kernels is check dmesg for errors/warnings etc:
```sh
root at rock64-test:~# dmesg --level 0,1,2
root at rock64-test:~# dmesg --level 0,1,2,3
[ 9.807992] rockchip-pm-domain ff100000.syscon:power-controller: failed to get ack on domain 'hevc', val=0x88220
[ 16.014046] systemd[1]: bpf-restrict-fs: Failed to load BPF object: No such process
```
Former is known (and in the works of being fixed), the latter is new.
Looking for that error message led me to upstream issue 32968 [1] which
led me to the upstream README with the following:
```
Required for RestrictFileSystems= in service units:
CONFIG_BPF
CONFIG_BPF_SYSCALL
CONFIG_BPF_LSM
CONFIG_DEBUG_INFO_BTF
CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".
```
I (actually) do have most of those, but not CONFIG_DEBUG_INFO_BTF and
that appears to be why systemd throws an error.
Looking further I found another issue [2] which says that using
``lockdown=confidentiality`` will also be problematic.
I think/assume it's great that systemd would use kernel features like
BPF *if* they're available. But if not, it should not throw an ERROR.
An informational message is fine and possibly a warning* if it's really
important. But it should detect so at *runtime* and not assume what
happens to be enabled in the (Debian) kernel at a certain point in time.
I did grep my system for ``bpf-restrict-fs`` to see if I could disable
that feature, but it only found ``libsystemd-core-256.so``.
Cheers,
Diederik
*) Preferably not as I'm also trying to fix those as much as possible
[1] https://github.com/systemd/systemd/issues/32968
[2] https://github.com/anthraxx/linux-hardened/issues/93#issuecomment-1974260571
- -- Package-specific info:
- -- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.10.6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd depends on:
ii libacl1 2.3.2-2
ii libapparmor1 3.1.7-1+b1
ii libaudit1 1:4.0.1-1
ii libblkid1 2.40.2-7
ii libc6 2.39-7
ii libcap2 1:2.66-5
ii libmount1 2.40.2-7
ii libpam0g 1.5.3-7
ii libseccomp2 2.5.5-1+b1
ii libselinux1 3.7-1+b1
ii libssl3t64 3.3.1-7
ii libsystemd-shared 256.5-1
ii libsystemd0 256.5-1
ii mount 2.40.2-7
Versions of packages systemd recommends:
ii dbus [default-dbus-system-bus] 1.14.10-4+b1
ii libzstd1 1.5.6+dfsg-1
pn linux-sysctl-defaults <none>
ii ntpsec [time-daemon] 1.2.3+dfsg1-3
pn systemd-cryptsetup <none>
Versions of packages systemd suggests:
ii libcryptsetup12 2:2.7.4-1
ii libgcrypt20 1.11.0-6
ii libidn2-0 2.3.7-2
ii liblz4-1 1.9.4-3
ii liblzma5 5.6.2-2
pn libtss2-rc0t64 <none>
ii libtss2-tcti-device0t64 [libtss2-tcti-device0] 4.1.3-1
ii polkitd 125-2
pn systemd-boot <none>
ii systemd-container 256.5-1
pn systemd-homed <none>
pn systemd-repart <none>
pn systemd-resolved <none>
pn systemd-userdbd <none>
Versions of packages systemd is related to:
ii dbus-user-session 1.14.10-4+b1
pn dracut <none>
ii initramfs-tools 0.145
pn libnss-systemd <none>
ii libpam-systemd 256.5-1
ii udev 256.5-1
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQT1sUPBYsyGmi4usy/XblvOeH7bbgUCZsoI3QAKCRDXblvOeH7b
bpA2AQDrLI0m5V/IkTepJVF4NyIlRbnFEjdvRIqjAyWliyCBJAEAorba1BU9D3p4
u9nOA3NGJyY1qPzQbS2Guc1niBbImAg=
=m50o
-----END PGP SIGNATURE-----
More information about the Pkg-systemd-maintainers
mailing list