Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 1 Feb 2020 01:47:48 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: LKRG vs namespaces escpae (docker?)

Hi,

I wanted to inform that I've added a new logic in Exploit-Detection feature for 
detection namespaces escape. LKRG now validates various namespace 
configurations per thread (task_struct). By doing it, LKRG might have a chance 
to detect e.g. docker escpaes via kernel bugs.
It is important to note that before you run LKRG, you should load "overlay" 
module used by docker. If you don't do it (e.g. load "overlay" module after 
LKRG), not all hooks will be installed and you will see False Positives. The 
easiest way to solve it is to configure the system to load "overlay" during 
boot. You can do it by runnig, for example, the following command:

    root@...-ubuntu:~# echo "overlay" > /etc/modules-load.d/overlay.conf
    root@...-ubuntu:~#

This code is new but I haven't seen any issues with it so far. However I would 
appreciate if more people could test it as well.

Thanks,
Adam

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.