Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 31 Jul 2018 22:52:25 +0200
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: Fw: firejail and grsecurity compatibility

Hello,

It is possible that you have been exploited but at the same time you might hit 
some FP in LKRG which we are not aware of. From the description which you gave 
it sounds more like some bug in firejail / Chrome / pulseaudio which might 
confused LKRG and resulted in FPs - but it's difficult to make any strong 
conclusion.

Can you please provie more informations?

 - Which kernel did you use?
 - Is it customized compilation?
 - Is it SMP machine?
 - What version of LKRG did you use?
 - Can you repro this scenario?
 - If you see similar situation can you change the log_level to be at least 4 - 
LKRG will print more detailed information what's going on

> Also, is lkrg compatible with grsecurity?

As long as KRETPROBE is supported by kernel, LKRG should be compatible with 
grsec (nevertheless I didn't make extensive tests on that)

> have you tried running it on android?

LKRG consists from 2 main features - runtime Code Integrity (CI) and Exploit 
Detection (ED). ED will work anywhere where KRETPROBE is supported - independed 
on CPU architecture. As far as I'm aware of Android kernels support KRETPROBEs 
on ARM so there shouldn't be any problem with that. Unfortunately, runtime CI 
is depended on CPU architecture and currently only x86 and amd64 are supported. 
Android devices run on ARM so currently CI won't be able to run there. 
Nevertheless we are planning to bring ARM support for runtime CI in the future.

Thanks,
Adam


On Tue, Jul 31, 2018 at 03:37:16AM +0000, vapnik spaknik wrote:
> OK, here is a further update on my previous message:I tried killing all programs running in firejails, but one of the firejails persisted. Running "firejail --list" indicated it containing chromium-browser which was running pulseaudio even though I had killed all chromium-browser processes and there were no instances of chromium-browser listed by "sudo pgrep chromium" or "sudo ps -e | grep chromium".
> The lkrg "Exploit Detection" messages continued while this firejail was still running.After rebooting the machine, and reloading lkrg I have not seen any more "Exploit" messages.So.. could it be that I bumped into some exploit code while browsing the web? I can't remember all of the websites I visited, but I've tried revisiting those that I can remember, and have not seen any more "Exploit" messages from lkrg.   
> 
>      On Monday, July 30, 2018 10:27 PM, vapnik spaknik <vapniks@...oo.com> wrote:
>  
> 
>  I am getting a lot of warning messages for firejail (https://firejail.wordpress.com/):
> 
> Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[19677 | firejail] has different 'cred' pointJul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[19677 | firejail] has different 'real_cred' Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> process[19677 | firejail] has different EGID! 1000 vs 0Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> process[19677 | firejail] has different FSGID! 1000 vs 0Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> Trying to kill process[firejail | 19677]!
> should I be worried?
> Also, is lkrg compatible with grsecurity?and finally, have you tried running it on android?
> Thankyou for your time.
> 
>    

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.