[OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Benjamin Kaduk kaduk@mit.edu
Sun, 7 Mar 2021 13:34:45 -0800

On Fri, Mar 05, 2021 at 09:07:43AM -0500, Jonathan Billings wrote:
> Hello,
> Our university uses the Crowdstrike endpoint security tool, and we use
> OpenAFS for both our user's home directory as well as serving software to
> our students, faculty and researchers.  Is anyone else using Crowdstrike
> and OpenAFS on Linux (specifically, RHEL7)?
> I've discovered that the Crowdstrike service (falcon-sensor) installs a
> linux security module which seems to interact with the OpenAFS kernel
> module in a bad way, causing the kernel to panic and reboot.  After
> installing the kdump service, I'm able to capture a kernel dump and
> backtrace, and it is definitely something to do with how OpenAFS and the
> falcon lsm interact.  I wasn't able to trigger it with just command-line
> ssh but a graphical login seems to be a reliable trigger.  Specifically, it
> seems to be in the cache handling when it panics.
> Has anyone else experienced this?

I don't use Crowdstrike so haven't seen it, but can you post the backtrace?