Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 21 Jun 2020 11:07:10 +0200
From: Mikhail Morfikov <>
Subject: Re: The lkrg.service for systemd

On 20/06/2020 23:39, Solar Designer wrote:
> On Fri, Jun 05, 2020 at 05:36:49PM +0200, Mikhail Morfikov wrote:
>> You provide the lkrg.service file for systemd. It basically loads/unloads the 
>> LKRG module and currently has the following boot dependencies:
> As I recall, part of the rationale here was to load LKRG before a
> potential attacker could connect over network.  

In such case, you should use instead of just
See here[1] for detailed explanation. 


>> Wouldn't be better to use the same deps as in systemd-modules-load.service ?
> Maybe yes.  However, then LKRG's load order vs. other modules would vary
> between bootups, which would lower the confidence that the system will
> always boot up correctly after the sysadmin having tested that it does
> so once.

If loading of LKRG module was a separate service, then just add a dependency 
After=systemd-modules-load.service, which would make sure that any module 
loaded by systemd-modules-load.service would be loaded before LKRG.

But if you wanted to rely on the systemd-modules-load.service to take care of
loading all the modules (including LKRG), you can stick with it, and the 
module order in which the modules will be loaded is known and persistent from 
boot to boot. According to the man modules-load.d(5): "It is recommended to 
prefix all filenames with a two-digit number and a dash, to simplify the 
ordering of the files". So, the order in which modules are loaded during boot 
can be the same, and in my system, LKRG is loaded always as the last one. So 
adding a prefix to the file name (i.e. /etc/modules-load.d/99-lkrg.conf) would 
be sufficient to make sure that LKRG will be loaded after all the other

> So maybe we should use something inbetween, like this:

I would suggest something like:

  After=systemd-modules-load.service  # to make sure all other modules are loaded               # to load LKRG as fast a possible

>> What about other inits? Not all of the available init systems use this 
>> .service file. Maybe is it better to provide a file with the module name and 
>> place it under /etc/modules-load.d/ , so all the inits be supported? What do 
>> you think?
> Do other init systems support /etc/modules-load.d?  Which ones?  On
> RHEL7+, this directory comes from the systemd package.  On RHEL6, it is
> not available.  So it looks systemd-specific to me.

I think the /etc/modules-load.d/ dir is systemd specific one. But the systemd 
service that wants to load the LKRG module also is systemd specific. So instead of 
introducing a new service, in my opinion it's better to stay with 
systemd-modules-load.service and load the LKRG module as the last one using the 99- 

> There's also the question of how to pass module parameters and/or
> override some sysctl's right after loading LKRG into the kernel.  For
> module parameters, there's /etc/modprobe.d, which should work regardless
> of the init system in use as long as it uses modprobe (and we provide a
> unit or init file or such that triggers loading of LKRG).  However, for
> sysctl's we need to execute a script, which is more init system
> specific.  Unfortunately, Adam hasn't implemented support for profile_*
> as module parameters yet.  When he does, we won't need to be able to set
> LKRG sysctl's on bootup.

Sysctl also has its /etc/sysctl.d/ dir, in which you can place a file like 
99-lkrg.conf, and add all the sysctl options (commented out and maybe with 
some description for easier config). This is also systemd specific option 
and it has the following deps:


So to sum up, I think the following set of file would be needed:

/etc/modules-load.d/99-lkrg.conf  # to load the LKRG module
/etc/modprobe.d/lkrg.conf         # to set module options
/etc/sysctl.d/99-lkrg.conf        # to change LKRG config via sysctl -p

As you can see, if you want to support systemd init, you don't have to make
another service file, just use the three files above, and systemd will take 
care of dependencies and other stuff needed to load kernel modules.

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.