Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 10 Nov 2019 16:43:00 +0000
From: Patrick Schleizer <adrelanos@...eup.net>
To: lkrg-users@...ts.openwall.com
Subject: LKRG Debian 10 buster / Debian packaging

Hello!

Thank you for maintaining LKRG!

I have an issue similar to this, I guess.

https://www.openwall.com/lists/lkrg-users/2018/02/05/2

Using LKRG stable branch, I think. Used these files:

https://www.openwall.com/lkrg/lkrg-0.7.tar.gz
https://www.openwall.com/lkrg/lkrg-0.7.tar.gz.sign

Debian 10, buster

Inside Qubes OS. Using Qubes VM kernel, i.e. kernel by Debian.

uname -a
Linux host 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20)
x86_64 GNU/Linux

cat /proc/version
Linux version 4.19.0-6-amd64 (debian-kernel@...ts.debian.org) (gcc
version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20)

cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

gcc --version
gcc (Debian 8.3.0-6) 8.3.0

sudo insmod output/p_lkrg.ko p_init_log_level=3
insmod: ERROR: could not insert module output/p_lkrg.ko: Unknown symbol
in module

sudo dmesg:
[ 1279.380872] p_lkrg: Unknown symbol usb_unregister_notify (err -2)
[ 1279.380943] p_lkrg: Unknown symbol usb_register_notify (err -2)

"make" log pasted below, which however looks fine. [1]

"make install" log pasted below too. It contains one line which might be
interesting [2]

> Warning: modules_install: missing 'System.map' file. Skipping depmod.


I however was able to start lkrg using systemd, which was surprising.

sudo systemctl start lkrg.service

sudo systemctl status lkrg.service

which shows success.

sudo dmesg:

[ 2919.927190] ACPI: bus type USB registered
[ 2919.927253] usbcore: registered new interface driver usbfs
[ 2919.927281] usbcore: registered new interface driver hub
[ 2919.927356] usbcore: registered new device driver usb
[ 2919.936781] [p_lkrg] Loading LKRG...
[ 2919.938713] Freezing user space processes ... (elapsed 0.032 seconds)
done.
[ 2919.970821] OOM killer disabled.
[ 2919.970836] [p_lkrg] Verifying 20 potential UMH paths for whitelisting...
[ 2919.976046] [p_lkrg] 3 UMH paths were whitelisted...
[ 2920.508282] [p_lkrg] [kretprobe] register_kretprobe() for
<ovl_create_or_link> failed! [err=-22]
[ 2920.508315] [p_lkrg] ERROR: Can't hook ovl_create_or_link function :(
[ 2920.658858] [p_lkrg] LKRG initialized successfully!
[ 2920.658885] OOM killer enabled.
[ 2920.658894] Restarting tasks ... done.
[ 2920.678539] [p_lkrg] Disabling "clean" message.

Does that look good?

Should be OK as per
https://www.openwall.com/lists/lkrg-users/2019/04/09/1 right?

Also posting systemd log after reboot. [3] (That is after some systemd
unit file changes which I will discuss in separate e-mail.)

I am also asking since I am considering to package LKRG for Debian
buster / Whonix / Kicksecure / Qubes (Debian template). However, I am
not a Debian Developer (DD). The package would be available from a third
party repository deb.whonix.org but any DD would be welcome to help and
upload to packages.debian.org. Can't promise anything at this point,
except that I am looking into it and see how far I get.

Kind regards,
Patrick

[1]
lkrg-0.7 $ make
make -C /lib/modules/4.19.0-6-amd64/build
M=/home/user/sourcesother/lkrg-0.7 modules
make[1]: Entering directory '/usr/src/linux-headers-4.19.0-6-amd64'
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/ksyms/p_resolve_ksym.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/hashing/p_lkrg_fast_hash.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/comm_channel/p_comm_channel.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/integrity_timer/p_integrity_timer.o
  CC [M]  /home/user/sourcesother/lkrg-0.7/src/modules/kmod/p_kmod.o
  CC [M]  /home/user/sourcesother/lkrg-0.7/src/modules/database/CPU.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/database/arch/x86/p_x86_metadata.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/database/arch/x86/p_switch_idt/p_switch_idt.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/database/arch/arm64/p_arm64_metadata.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/database/arch/p_arch_metadata.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/database/JUMP_LABEL/p_arch_jump_label_transform/p_arch_jump_label_transform.o
  CC [M]  /home/user/sourcesother/lkrg-0.7/src/modules/database/p_database.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/notifiers/p_notifiers.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/self-defense/hiding/p_hiding.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_execve/p_sys_execve.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_execveat/p_sys_execveat.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_wake_up_new_task/p_wake_up_new_task.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setuid/p_sys_setuid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setreuid/p_sys_setreuid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setresuid/p_sys_setresuid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setfsuid/p_sys_setfsuid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setgid/p_sys_setgid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setregid/p_sys_setregid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setresgid/p_sys_setresgid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_setfsgid/p_sys_setfsgid.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_set_current_groups/p_set_current_groups.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_do_init_module/p_do_init_module.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_finit_module/p_sys_finit_module.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_delete_module/p_sys_delete_module.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_generic_permission/p_generic_permission.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sel_write_enforce/p_sel_write_enforce.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_unshare/p_sys_unshare.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_userns_install/p_userns_install.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/caps/p_sys_capset/p_sys_capset.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/caps/p_cap_task_prctl/p_cap_task_prctl.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/keyring/p_key_change_session_keyring/p_key_change_session_keyring.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/keyring/p_sys_add_key/p_sys_add_key.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/keyring/p_sys_request_key/p_sys_request_key.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/keyring/p_sys_keyctl/p_sys_keyctl.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/p_sys_ptrace/p_sys_ptrace.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_ptrace/p_compat_sys_ptrace.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_delete_module/p_compat_sys_delete_module.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_capset/p_compat_sys_capset.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_add_key/p_compat_sys_add_key.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/compat/p_compat_sys_request_key/p_compat_sys_request_key.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execveat/p_x32_sys_execveat.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_keyctl/p_x32_sys_keyctl.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_ptrace/p_x32_sys_ptrace.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/override/p_override_creds/p_override_creds.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/override/p_revert_creds/p_revert_creds.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/override/overlayfs/p_ovl_create_or_link/p_ovl_create_or_link.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/pCFI/p_mark_inode_dirty/p_mark_inode_dirty.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/pCFI/p_schedule/p_schedule.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/pCFI/p___queue_work/p___queue_work.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/syscalls/pCFI/p_lookup_fast/p_lookup_fast.o
  CC [M]
/home/user/sourcesother/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.o
  CC [M]  /home/user/sourcesother/lkrg-0.7/src/p_lkrg_main.o
  LD [M]  /home/user/sourcesother/lkrg-0.7/p_lkrg.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/user/sourcesother/lkrg-0.7/p_lkrg.mod.o
  LD [M]  /home/user/sourcesother/lkrg-0.7/p_lkrg.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.19.0-6-amd64'
mkdir -p output
cp /home/user/sourcesother/lkrg-0.7/p_lkrg.ko output

[2]
lkrg-0.7 $ sudo make install
make -C /lib/modules/4.19.0-6-amd64/build
M=/home/user/sourcesother/lkrg-0.7 modules_install
make[1]: Entering directory '/usr/src/linux-headers-4.19.0-6-amd64'
  INSTALL /home/user/sourcesother/lkrg-0.7/p_lkrg.ko
  DEPMOD  4.19.0-6-amd64
Warning: modules_install: missing 'System.map' file. Skipping depmod.
make[1]: Leaving directory '/usr/src/linux-headers-4.19.0-6-amd64'
depmod -a
/home/user/sourcesother/lkrg-0.7/scripts/bootup/lkrg-bootup.sh install
 [*] Executing LKRG's bootup installation script
  [+] Systemd detected
       Installing lkrg.service file under /run/systemd/system folder
       Enabling lkrg.service on bootup
Created symlink /etc/systemd/system/multi-user.target.wants/lkrg.service
→ /run/systemd/system/lkrg.service.
       To start lkrg.service please use: systemctl start lkrg
  [+]

[3]

Nov 10 10:06:26 debian-buster-standalone kernel: [p_lkrg] Loading LKRG...
Nov 10 10:06:26 debian-buster-standalone kernel: [p_lkrg] Verifying 20
potential UMH paths for whitelisting...
Nov 10 10:06:26 debian-buster-standalone kernel: [p_lkrg] 3 UMH paths
were whitelisted...
Nov 10 10:06:26 debian-buster-standalone kernel: [p_lkrg] [kretprobe]
register_kretprobe() for <ovl_create_or_link> failed! [err=-22]
Nov 10 10:06:26 debian-buster-standalone kernel: [p_lkrg] ERROR: Can't
hook ovl_create_or_link function :(
Nov 10 10:06:26 debian-buster-standalone kernel: [p_lkrg] LKRG
initialized successfully!
Nov 10 10:06:26 debian-buster-standalone kernel: [p_lkrg] Disabling
"clean" message.
Nov 10 10:06:26 debian-buster-standalone sysctl[706]: lkrg.clean_message = 0
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_JMP] code[0xffffffffae28f74c]
target[0xffffffffae28f753] key[0xffffffffaf266000]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating kernel core .text section hash!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_JMP] code[0xffffffffae239ece]
target[0xffffffffae239f29] key[0xffffffffaf266000]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating kernel core .text section hash!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_JMP] code[0xffffffffae2b3349]
target[0xffffffffae2b3350] key[0xffffffffaf266370]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating kernel core .text section hash!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_JMP] code[0xffffffffae2b0cbf]
target[0xffffffffae2b0d64] key[0xffffffffaf266380]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating kernel core .text section hash!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_JMP] code[0xffffffffae2f82c6]
target[0xffffffffae2f82d2] key[0xffffffffaf266390]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating kernel core .text section hash!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_JMP] code[0xffffffffae2d7326]
target[0xffffffffae2d75d3] key[0xffffffffaf266390]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating kernel core .text section hash!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_JMP] code[0xffffffffae2af64f]
target[0xffffffffae2af75c] key[0xffffffffaf266390]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating kernel core .text section hash!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_NOP] code[0xffffffffc080e6a1]
target[0xffffffffc080e78f] key[0xffffffffc08297c0]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating module's core .text section hash - module[nf_conntrack :
0x0000000048dfb46d]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
New modification: type[JUMP_LABEL_NOP] code[0xffffffffc0847a51]
target[0xffffffffc0847b26] key[0xffffffffc084c080]!
Nov 10 10:06:27 debian-buster-standalone kernel: [p_lkrg] [JUMP_LABEL]
Updating module's core .text section hash - module[nf_nat :
0x00000000449d9079]!

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.