Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 21 Jun 2020 11:07:10 +0200
From: Mikhail Morfikov <mmorfikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: The lkrg.service for systemd

On 20/06/2020 23:39, Solar Designer wrote:
> On Fri, Jun 05, 2020 at 05:36:49PM +0200, Mikhail Morfikov wrote:
>> You provide the lkrg.service file for systemd. It basically loads/unloads the 
>> LKRG module and currently has the following boot dependencies:
>>
>>     After=basic.target
>>     Before=network.target
> 
> As I recall, part of the rationale here was to load LKRG before a
> potential attacker could connect over network.  

In such case, you should use network-pre.target instead of just network.target.
See here[1] for detailed explanation. 

[1]: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

>> Wouldn't be better to use the same deps as in systemd-modules-load.service ?
> 
> Maybe yes.  However, then LKRG's load order vs. other modules would vary
> between bootups, which would lower the confidence that the system will
> always boot up correctly after the sysadmin having tested that it does
> so once.

If loading of LKRG module was a separate service, then just add a dependency 
After=systemd-modules-load.service, which would make sure that any module 
loaded by systemd-modules-load.service would be loaded before LKRG.

But if you wanted to rely on the systemd-modules-load.service to take care of
loading all the modules (including LKRG), you can stick with it, and the 
module order in which the modules will be loaded is known and persistent from 
boot to boot. According to the man modules-load.d(5): "It is recommended to 
prefix all filenames with a two-digit number and a dash, to simplify the 
ordering of the files". So, the order in which modules are loaded during boot 
can be the same, and in my system, LKRG is loaded always as the last one. So 
adding a prefix to the file name (i.e. /etc/modules-load.d/99-lkrg.conf) would 
be sufficient to make sure that LKRG will be loaded after all the other
modules.

> 
> So maybe we should use something inbetween, like this:
> 
> After=sysinit.target
> Before=basic.target
> 

I would suggest something like:

  After=systemd-modules-load.service  # to make sure all other modules are loaded
  Before=sysinit.target               # to load LKRG as fast a possible


>> What about other inits? Not all of the available init systems use this 
>> .service file. Maybe is it better to provide a file with the module name and 
>> place it under /etc/modules-load.d/ , so all the inits be supported? What do 
>> you think?
> 
> Do other init systems support /etc/modules-load.d?  Which ones?  On
> RHEL7+, this directory comes from the systemd package.  On RHEL6, it is
> not available.  So it looks systemd-specific to me.

I think the /etc/modules-load.d/ dir is systemd specific one. But the systemd 
service that wants to load the LKRG module also is systemd specific. So instead of 
introducing a new service, in my opinion it's better to stay with 
systemd-modules-load.service and load the LKRG module as the last one using the 99- 
prefix.

> 
> There's also the question of how to pass module parameters and/or
> override some sysctl's right after loading LKRG into the kernel.  For
> module parameters, there's /etc/modprobe.d, which should work regardless
> of the init system in use as long as it uses modprobe (and we provide a
> unit or init file or such that triggers loading of LKRG).  However, for
> sysctl's we need to execute a script, which is more init system
> specific.  Unfortunately, Adam hasn't implemented support for profile_*
> as module parameters yet.  When he does, we won't need to be able to set
> LKRG sysctl's on bootup.

Sysctl also has its /etc/sysctl.d/ dir, in which you can place a file like 
99-lkrg.conf, and add all the sysctl options (commented out and maybe with 
some description for easier config). This is also systemd specific option 
and it has the following deps:

  After=systemd-modules-load.service
  Before=sysinit.target

So to sum up, I think the following set of file would be needed:

/etc/modules-load.d/99-lkrg.conf  # to load the LKRG module
/etc/modprobe.d/lkrg.conf         # to set module options
/etc/sysctl.d/99-lkrg.conf        # to change LKRG config via sysctl -p

As you can see, if you want to support systemd init, you don't have to make
another service file, just use the three files above, and systemd will take 
care of dependencies and other stuff needed to load kernel modules.



Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.