Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 21 Jun 2020 22:04:49 +0200
From: Adam Zabrocki <>
Subject: Re: The lkrg.service for systemd


I've tested proposed Unit file and got:

[   15.469294] systemd[1]: lkrg.service: Service has Restart= setting other than no, which isn't allowed for Type=oneshot services. Refusing.
[   15.501035] systemd[1]: lkrg.service: Cannot add dependency job, ignoring: Unit lkrg.service has a bad unit file setting.

Originally we had:


and in the new file we have:


We can use Type=simple or edit:

> Restart=on-failure

and set it to "no".

I believe that better approach is to set Restart=No since if LKRG failes to 
load first time, there is little value of retrying it again.


On Sun, Jun 21, 2020 at 05:31:45PM +0200, Mikhail Morfikov wrote:
> On 21/06/2020 14:58, Solar Designer wrote:
> > There's yet another issue, though: LKRG may take a little while to
> > initialize before it's fully monitoring for attacks and enforcing its
> > configured policies, yet the boot process may concurrently proceed
> > further and e.g. start crond and an exploit from there.
> > 
> > Do you have suggestions on how to make system boot process wait before
> > advancing to a phase where user code may run until LKRG is ready?
> The would take care of holding the system boot till 
> the LKRG module finish loading. The regular services, like cron, are started 
> after the is reached (which is after So 
> basically this dependency would do the job with ease.
> > 
> > What would you suggest we put into the documentation for those wanting
> > to use other init systems?  
> I don't really know other init systems -- I use Debian on all of my machines,
> and this distro (like many others) defaults to systemd, and this move has
> been made some years ago. If there are any people who use some other inits, I 
> would suggest that they speak about the proper support here, like I do with 
> systemd. 
> > 
> > With the 0.8 release being (hopefully) just around the corner, I think
> > switching to /etc/modules-load.d/99-lkrg.conf is too invasive a change
> > right now, but perhaps we can change the Before/After lines for now and
> > plan on making further changes for 0.9.
> > 
> >> I would suggest something like:
> >>
> >>   After=systemd-modules-load.service  # to make sure all other modules are loaded
> >>               # to load LKRG as fast a possible
> > 
> > Can you please test this suggestion of yours and confirm that it works?
> > 
> I tested, and I had to completely rewrite the systemd.service . Here's how it
> looks now:
> --------------
> [Unit]
> Description=Linux Kernel Runtime Guard
> Documentation=
> DefaultDependencies=no
> After=systemd-modules-load.service
> Before=systemd-sysctl.service
> [Service]
> Type=oneshot
> ExecStart=/sbin/modprobe -v p_lkrg
> #ExecStop=/sbin/modprobe -v -r p_lkrg
> RemainAfterExit=yes
> Restart=on-failure
> [Install]
> --------------
> The *DefaultDependencies* has to be used, since this is early boot service. When
> you use it, you have to take care of stopping the service, i.e. to add 
> ** and ** dependencies. I'm not 
> sure what would happen in this case when the two are omitted because there's no 
> real service that has to be stopped when system reboots/shutdowns. Anyway, after 
> adding them, when system reboots/shutdowns the *ExecStop* command will be 
> executed. So I commented it out because removing the module before system reboot
> is pointless. Using *After=systemd-modules-load.service* will make sure that 
> LKRG will load after any other module does, *Before=systemd-sysctl.service* is 
> for sysctl config to work, so if you block module loading via 
> *lkrg.block_modules*, it will work. The ** is redundant, 
> but I keep it just to explicitly show where the LKRG service is assigned to. I 
> also use *modprobe* for *ExecStart* and *ExecStop* commands (the -v flag can be 
> removed). I changed the *Type* from *Simple* to *Oneshot as it better fits in 
> this case, especially with *RemainAfterExit=yes*. Also *WantedBy* changed from 
> ** to **.
> Here's you can see how it works[1]. This is very beginning of the boot phase, 
> and you have first the systemd-modules-load.service , when it finishes, 
> lkrg-dkms starts and the module loads for ~1,5s. When it finishes, then 
> systemd-sysctl.service is launched and the rest of boot continues as ususal.
> [1]: 

pi3 (pi3ki31ny) - pi3 (at) itsec pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.