Closed Antiz96 closed 1 month ago
I've noticed this too, seems to be happening only since the last upgrade (of something :angel:)
I've noticed this too, seems to be happening only since the last upgrade (of something 👼)
Oh, well... I upgraded both archlinux-contrib and firewalld recently so... :angel: If you're positive it only started since the last upgrade of something, downgrading them might worth a shot!
I'll try that in a few.
Actually, checkservices was last modified 2 years ago so it's most probably not the cause. I'll try downgrading firewalld in a minute to see if it helps.
@lahwaacz Nice catch! Downgrading to firewalld 2.1.2-3 fixes the issue. The upgrade from 2.1.2 to 2.2.0 on the package side was a trivial one. So it's most probably due to an upstream change.
Not sure how to report that properly though (as I don't really understand what/where the problem might be) :/
It seems to be related to this systemd service hardening: https://github.com/firewalld/firewalld/commit/1632f93544be8a26c278ac0012993c27f865bfa3
Thanks, I'm including that in my upstream report.
I'm thinking we should actually skip the /memfd:
lines from the maps in the checkservices handling... But asking should not hurt
After investigation, it turns out that it's the MemoryDenyWriteExecute=yes
line added to the service file in https://github.com/firewalld/firewalld/commit/1632f93544be8a26c278ac0012993c27f865bfa3 that creates this behavior.
As @lahwaacz said, it seems like there's not much reason for checkservices
to look at /memfd:
maps (as checkservices is looking in the proc maps to find processes using files that were changed on the disk, but /memfd: is never on disk).
I'll open a MR to ignore /memfd:
lines in checkservices
.
firewalld.service
will always be reported as having broken maps files and needed to be restarted bycheckservices
, regardless if it was already restarted earlier or not (or even upgraded at all). By looking at the script, it seems likecheckervices
does some grepping/parsing to/proc/"pid of the service"/maps
to determine the list of services with deleted maps files. For some reason,firewalld.service
will always report one as deleted, causing a false positive:Unfortunately, I don't have enough knowledge on this to understand if the issue is on the firewalld side, the libffi one or if it's the grepping/parsing part of
checkservices
that should be made more "robust" somehow. Maybe someone we'll be able to understand what's wrong here?