Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250902190813.GA28702@openwall.com>
Date: Tue, 2 Sep 2025 21:08:13 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, lkrg-users@...ts.openwall.com
Subject: [openwall-announce] LKRG 1.0.0

Hi,

For those new to Linux Kernel Runtime Guard (LKRG), it is a kernel
module that performs runtime integrity checking of the Linux kernel and
detection of security vulnerability exploits against the kernel.

At over 7 years since its initial public release in 2018, we're finally
ready to call this project mature.

We've just released LKRG 1.0.0, available on the LKRG project website:

https://lkrg.org

The following major changes have been made between LKRG 0.9.9 and 1.0.0:

 *) Support latest mainline Linux kernels, currently tested up to 6.17-rc4
 *) Support Linux 6.13+ by not hooking {override,revert}_creds() anymore, and
    limiting detection of cred pointer overwrite attacks on those kernels
 *) To compensate for the above and as an enhancement on older kernels, check
    for cred pointer overwrites in certain other places where we did not before
 *) Do not track those credentials that we currently do not validate anyway,
    and do not hook kernel functions that would only update such credentials
    (shrunk the codebase by approximately 1500 lines)
 *) Support OverlayFS ovl_tmpfile introduced in Linux 6.10 (such support was
    needed to avoid false positives with containers on 6.10 to 6.12.y), but
    don't hook anything OverlayFS on 6.13+ (is unneeded there)
 *) Support (or rather be compatible with the kernel's use of) Intel CET IBT
    (CONFIG_X86_KERNEL_IBT) and/or KCFI (CONFIG_CFI_CLANG) for now on x86_64
 *) Support clang in more cases (fix some of the portability issues), but for
    now continue to only support GCC officially
 *) Switch many hooks from kretprobes to simple kprobes for greater reliability
    and improved performance, and also reduce source code duplication in how
    hooks are installed (approximately +650 -1550 lines, so -900 lines overall)
 *) Overhaul locking of per-task shadow data, using finer-grain locks
 *) Improve performance of per-task shadow data lookups by making them lockless
 *) Wrap integrity violation checks in unlikely(), so that the cold attack
    response code doesn't clutter caches in the hot paths
 *) Fix several lethal race conditions involving SECCOMP_FILTER_FLAG_TSYNC
 *) Fix false positive "seccomp mode corruption" involving SECCOMP_MODE_DEAD
    (was possible on 5.17+ and stable/longterm kernels that backported this)
 *) Fix integrity violation misattribution to a wrong task when pint_enforce=0
 *) Fix several integrity violation race conditions when pint_enforce=0
 *) Fix race condition (possible NULL dereference) with namespace validation
 *) Fix race condition on msr_validate sysctl changes as well as on transitions
    between profile_validate=4 and others
 *) Fix various other bugs that typically had no externally visible effect
 *) Make kprobes testing via LKRG's own dummy function hooking optional (works
    around issue seen on recent Gentoo) and improve reporting of failures
 *) Build and link the userspace logger tools with hardening flags, and pass
    distributions' RPM packaging hardening flags to the compiler and linker
 *) lkrg-logctl: Support and report continuation lines (an extra one-character
    field indicating whether the line is a new message or a continuation)
 *) lkrg-logger: Make logs group-readable
 *) Continuous Integration: switch from Ubuntu to Fedora for latest mainline
    kernel boot test, add Ubuntu 24.04, 24.10, 25.04, 25.10 boot tests, repair
    CentOS 7 build test to survive this distro's EOL and GitHub's deprecation

We made a lot of changes, and the codebase became significantly smaller:

$ git diff --shortstat v0.9.9..v1.0.0
 144 files changed, 2279 insertions(+), 4700 deletions(-)

The changes this time are by the following people:

$ git shortlog -sn v0.9.9..v1.0.0
    99  Solar Designer
    30  Sultan Alsawaf
     6  Vitaly Chikunov

You may notice that this time there are no commits from the original
author of LKRG, Adam 'pi3' Zabrocki, yet he remains active with the
project throughout this release cycle and going forward.  In fact, to
pass Adam's reviews, Sultan and I had to justify to Adam many of the
changes we were making.  Also, despite of the extent of the changes, we
tried to make this release conservative in a way - mostly not adding new
defenses, but focusing on making LKRG more robust and portable, and the
codebase cleaner.  I hope Adam will return to direct contributions for a
future release perhaps once we lift the informal freeze on new defenses.
Adam is good at adding defenses and code.  I am good at dropping code
while keeping the defenses. ;-)

I'd like to credit CIQ for supporting my and Sultan's work towards this
release.  At least the per-task shadow data locking overhaul and many of
the bug findings/fixes wouldn't have happened without CIQ and Sultan.

We've already updated the Rocky Linux SIG/Security package of LKRG to
this new release, and our tested builds for 9.6 and 8.10 are about to be
pushed out to the public, along with a corresponding wiki edit:

https://sig-security.rocky.page

(pending approval by someone else at RESF now)

Rocky Linux SIG/Security yum/dnf repository and LKRG packages are also
usable on other Enterprise Linux distributions (AlmaLinux 8 and 9, RHEL
8 and 9, etc.)

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.