Date: Fri, 24 Jan 2020 20:01:44 +0100 From: Adam Zabrocki <pi3@....com.pl> To: lkrg-users@...ts.openwall.com Subject: Re: UMH blocked when though lkrg.block_modules = 0 Hi, Yes, I believe it's because of that specific configuration of kernel.core_pattern. I don't think there is anything special which needs to be done from LKRG perspective since it's correctly blocked what is should. Thanks, Adam On Fri, Jan 24, 2020 at 10:21:43AM +0000, Patrick Schleizer wrote: > sudo dmesg | grep lkrg > > [ 89.832261] p_lkrg: loading out-of-tree module taints kernel. > [ 89.850921] p_lkrg: module verification failed: signature and/or > required key missing - tainting kernel > [ 89.852290] [p_lkrg] Loading LKRG... > [ 91.952994] [p_lkrg] LKRG initialized successfully! > [ 92.017905] [p_lkrg] Disabling MSRs verification during CI. > [ 92.047093] [p_lkrg] [ED] New pCFI configuration => 1 (No stackwalk > (weak)) > [ 510.949628] [p_lkrg] <Exploit Detection> !!! BLOCKING UMH !!! > [ 510.949632] [p_lkrg] <Exploit Detection> Someone is trying to execute > file: [/bin/false] > [ 510.949633] [p_lkrg] <Exploit Detection> --- . --- > > sudo sysctl -a | grep lkrg > > lkrg.block_modules = 0 > lkrg.ci_panic = 0 > lkrg.clean_message = 0 > lkrg.enforce_msr = 0 > lkrg.enforce_pcfi = 1 > lkrg.force_run = 0 > lkrg.hide = 0 > lkrg.log_level = 1 > lkrg.random_events = 1 > lkrg.smep_panic = 1 > lkrg.timestamp = 15 > lkrg.umh_lock = 0 > > It was probably caused by sysctl "kernel.core_pattern=|/bin/false". > > Kind regards, > Patrick -- pi3 (pi3ki31ny) - pi3 (at) itsec pl http://pi3.com.pl
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.