Bug#1071603: systemd-udevd.service: kdump : failed to call kexec_load system call : Operation not permitted
Luca Boccassi
bluca at debian.org
Wed May 22 16:33:07 BST 2024
Control: reassign -1 kdump-tools 1:1.8.1
On Wed, 22 May 2024 00:46:42 -0700 Yong Wang <yongwang at nvidia.com>
wrote:
> Package: udev
> Version: 252.22-1~deb12u1
> Severity: important
> X-Debbugs-Cc: yongwang at nvidia.com
>
> Dear Maintainer,
>
> The error shows up every time when cpu "online" event triggers
"kdump-config try-reload",
> with error message : "kdump-config: failed to unload kdump kernel"
(in syslog), due to
> kexec_load system call (belongs to "@reboot" set) is missing in
whitelist i.e. "SystemCallFilter"
> setting in systemd-udevd.service.
> In SMP system, performing the following command can trigger cpu
"online" event:
> echo 0 > /sys/devices/system/cpu/cpu1/online
> echo 1 > /sys/devices/system/cpu/cpu1/online
> kdump kernel is expected to be unloaded and reloaded successfully
in this scenario rather than
> getting such error message.
There is no such rule in the udev package, it comes from kdump-tools:
https://sources.debian.org/data/main/k/kdump-tools/1%3A1.10.3/debian/kdump-tools.udev
If a package adds rules that require additional permissions, then it's
that package that needs to ship a drop-in to allow them, otherwise the
attack surface is increased even for those that don't use it.
kdump-tools maintainers, please ship a drop-in like this together with
your udev rule:
/usr/lib/systemd/system/systemd-udevd.service.d/debian-kdump-tools-
kexec.conf
[Service]
SystemCallFilter=@reboot
(note that I haven't tested this)
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240522/81cf8280/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list