>these messages actually come from the kernel, I believe they are expected (maybe only in secure boot >mode, I haven't looked into the new 'lockdown' stuff yet). The lack of 'kernel_lockdown' manpage >appears to be already reported in bug 1767971.
This PC is indeed using secure boot. Here are the relevant lockdown messages when using the updated systemd package from your repository: [ 0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7 [ 0.595817] Lockdown: swapper/0: Hibernation is restricted; see man kernel_lockdown.7 [ 1.904409] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 [ 1.907029] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7 [ 3.768797] Lockdown: Xorg: ioperm is restricted; see man kernel_lockdown.7 I did a bunch of searches on this and while I'm far from an expert, they seemed to confirm your mention that they are most likely to be expected (my interpretation of the search results: this lockdown system is meant to be automatically enabled in modern kernel versions at least when booting with secure boot). These exact same lockdown messages regarding systemd are also there on a fully updated Fedora 31, which I dual boot on this same PC. > Hmm, that probably needs a further look... Not sure if this is of any use, but there is also a "local system does not support BPF/cgroup firewalling." systemd message on the just released Fedora 31, although it refers to a different .slice. Both distributions note that BPF is restricted by the secure boot induced lockdown. Here are the logs: #Ubuntu 19.10 with updated systemd from PPA [ 0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7 #Some other stuff in between [ 1.907029] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7 #Some other stuff in between [ 1.982629] systemd[1]: system-systemd\x2dfsck.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling. #Fedora 31 with testing updates enabled [ 0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7 #Some other stuff in between [ 1.289561] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7 #some other stuff in between [ 1.317449] systemd[1]: system-systemd\x2dhibernate\x2dresume.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling. > great; thnx! No problem, reporting it was the least I could do. Thanks a lot for finding a fix for it and the swift replies in general! While the firewall actually worked fine it was a fairly scary looking warning. As for the new bug report, let me know if/when you want me to file it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1851056 Title: "Proceeding WITHOUT firewalling in effect!" warning Status in systemd: Fix Released Status in systemd package in Ubuntu: Fix Released Status in systemd source package in Eoan: In Progress Bug description: Hello everyone, I noticed a strange systemd warning in my kernel log about "Proceeding WITHOUT firewalling in effect!" There is an older Debian bug mention about this same issue and it is said there that it was fixed last year: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872560 Release: Ubuntu 19.10, fresh install, latest updates with updates-testing repository enabled Systemd-package version: 242-7ubuntu3 Kernel: Linux 5.3.0-21-generic Here is the relevant warning information via running sudo dmesg after boot: [ 2.096064] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 [ 2.101034] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7 [ 2.136885] systemd[1]: File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling. [ 2.142209] systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.) [ 2.158190] systemd[1]: /lib/systemd/system/dbus.socket:4: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. [ 2.197029] systemd[1]: Listening on Journal Socket. [ 2.203708] systemd[1]: Starting Create list of required static device nodes for the current kernel... [ 2.243900] bpfilter: Loaded bpfilter_umh pid 420 #Continues normally from here without anything that seems odd The included attachment .txt has more information. From what I've read online from various bug trackers from other distributions this should be related to a missing kernel option (CONFIG_BPF_SYSCALL=y), but this option seems to be enabled: # Output after running in commandline: grep BPF /boot/config-`uname -r` # Kernel settings seem to be correct? CONFIG_CGROUP_BPF=y CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_IPV6_SEG6_BPF=y CONFIG_NETFILTER_XT_MATCH_BPF=m CONFIG_BPFILTER=y CONFIG_BPFILTER_UMH=m CONFIG_NET_CLS_BPF=m CONFIG_NET_ACT_BPF=m CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_LWTUNNEL_BPF=y CONFIG_HAVE_EBPF_JIT=y CONFIG_BPF_EVENTS=y CONFIG_BPF_KPROBE_OVERRIDE=y CONFIG_TEST_BPF=m Also my friend just installed 19.10 on his machine and is seeing the same warning, but I haven't found anyone else mentioning this issue at least on the latest Ubuntu 19.10. The same warning message is appearing if I run Ubuntu 19.10 in live mode from the USB stick. What I expected to happen: no such error (it doesn't appear on Fedora or openSUSE Tumbleweed that I've recently had installed on my other SSD) What happened instead: error appears during every boot sequence It's also worth stressing that the firewall is functioning just fine (using standard ufw) despite the error, so I'm guessing this is a harmless warning. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1851056/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
