Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260423054340.GA21178@openwall.com>
Date: Thu, 23 Apr 2026 07:43:40 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, lkrg-users@...ts.openwall.com
Subject: [openwall-announce] LKRG 1.0.1

Hi,

For those new to Linux Kernel Runtime Guard (LKRG), it is a kernel
module that performs runtime integrity checking of the Linux kernel and
detection of security vulnerability exploits against the kernel.

We've just released LKRG 1.0.1, available on the LKRG project website:

https://lkrg.org

The following major changes have been made between LKRG 1.0.0 and 1.0.1:

 *) Support Linux 6.19+ (tested up to and including 7.0)
 *) Verify newly loaded modules do appear in the module list (catches e.g.
    the Singularity rootkit hiding itself on load, stops it by kernel panic)
 *) Try harder at killing compromised tasks (beyond SIGKILL sent by usual
    means, so e.g. Singularity's attempt to suppress SIGKILL doesn't help it)
 *) Replace inconsistent uses of notrace in the source files with removal of
    trace-related CFLAGS in Makefile (so a rootkit can't place ftrace hooks on
    LKRG functions, which an older revision of Singularity did)
 *) Fix possible livelock when freezing inter-dependent tasks on LKRG load
    (was observed with systemd-userd vs. proc-sys-fs-binfmt_misc.mount)
 *) Fix possible use-after-free when accessing another task's shadow data on
    kernels since 3.17 but below 4.20
 *) Fix possible sleeping-in-atomic on lkrg.msr_validate sysctl updates
 *) pCFI: Fix potential kernel stack out of bounds read (which didn't matter)
 *) Fix possible seccomp deadlock when a thread's off flag is corrupted (which
    can't happen without another issue or kernel compromise)

While 3 items above mention the recently publicized Singularity rootkit,
which "bypassed" LKRG, addressing this wasn't directly relevant for LKRG
yet.  That's because LKRG is not currently meant to protect against
kernel modules loaded by legitimate-looking root user, who could simply
unload or reconfigure LKRG first (although doing so logs a message,
including to a remote server if configured).  Rather, we took this
opportunity and used Singularity as our reminder and test suite to
identify areas for general hardening of LKRG, and to test such hardening
changes.  This may also become directly relevant later, such as if we
add unload and reconfiguration protection.

I'd like to thank Matheu for creating and maintaining our new test
suite, Singularity.  I see it has already been further updated two days
ago, which may give us more ideas for hardening.  We keep track of these
in a GitHub issue:

https://github.com/lkrg-org/lkrg/issues/455

There's not much change in codebase size this time:

$ git diff --shortstat v1.0.0..v1.0.1
 39 files changed, 441 insertions(+), 155 deletions(-)

The changes this time are by the following people:

$ git shortlog -sn v1.0.0..v1.0.1
    16  Solar Designer
     8  Adam 'pi3' Zabrocki
     8  Sultan Alsawaf
     1  Vitaly Chikunov

So just our current development team.

I'd like to credit CIQ for supporting my and Sultan's work towards this
release.

We've already updated the Rocky Linux SIG/Security package of LKRG to
this new release, and our tested builds for 9.7 and 8.10 are about to be
pushed out to the public, along with a pending edit of the wiki:

https://sig-security.rocky.page

This may take a day or two to become fully available.

Rocky Linux SIG/Security yum/dnf repository and LKRG packages are also
usable on other Enterprise Linux distributions (AlmaLinux 8 and 9, RHEL
8 and 9, etc.)

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.