Date: Sun, 21 Jun 2020 14:58:34 +0200 From: Solar Designer <solar@...nwall.com> To: lkrg-users@...ts.openwall.com Subject: Re: The lkrg.service for systemd On Sun, Jun 21, 2020 at 11:07:10AM +0200, Mikhail Morfikov wrote: > On 20/06/2020 23:39, Solar Designer wrote: > > On Fri, Jun 05, 2020 at 05:36:49PM +0200, Mikhail Morfikov wrote: > >> You provide the lkrg.service file for systemd. It basically loads/unloads the > >> LKRG module and currently has the following boot dependencies: > >> > >> After=basic.target > >> Before=network.target > > > > As I recall, part of the rationale here was to load LKRG before a > > potential attacker could connect over network. > > In such case, you should use network-pre.target instead of just network.target. > See here for detailed explanation. > > : https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ Thank you! Looks like our choice of simply network.target is a bug as it does not fully meet the rationale. There's yet another issue, though: LKRG may take a little while to initialize before it's fully monitoring for attacks and enforcing its configured policies, yet the boot process may concurrently proceed further and e.g. start crond and an exploit from there. Do you have suggestions on how to make system boot process wait before advancing to a phase where user code may run until LKRG is ready? > Sysctl also has its /etc/sysctl.d/ dir, in which you can place a file like > 99-lkrg.conf, and add all the sysctl options (commented out and maybe with > some description for easier config). This is also systemd specific option > and it has the following deps: > > After=systemd-modules-load.service > Before=sysinit.target As discussed on this mailing list before you joined, setting LKRG sysctl's from /etc/sysctl.conf or /etc/sysctl.d didn't work because these were processed before LKRG is loaded. With your suggested alternative below, this should become possible. > So to sum up, I think the following set of file would be needed: > > /etc/modules-load.d/99-lkrg.conf # to load the LKRG module > /etc/modprobe.d/lkrg.conf # to set module options > /etc/sysctl.d/99-lkrg.conf # to change LKRG config via sysctl -p > > As you can see, if you want to support systemd init, you don't have to make > another service file, just use the three files above, and systemd will take > care of dependencies and other stuff needed to load kernel modules. This sounds right. What would you suggest we put into the documentation for those wanting to use other init systems? Our current draft documentation (not yet committed) for the upcoming 0.8 release contains this: --- Installation ------------ If your Linux distribution uses systemd, you can install LKRG with: sudo make install while you're still in its top level source code directory. Run the following command to start the LKRG service just like it would be started on next system bootup: sudo systemctl start lkrg You can uninstall LKRG using "make" as well (still in the same directory): sudo make uninstall In fact, you would need to do this before installing a new version of LKRG. You can also use the following command to temporarily stop the LKRG service without uninstalling it: sudo systemctl stop lkrg We don't in any way favor systemd over other init systems, and would gladly add support for those as well if there's demand or especially if we receive such contributions. Meanwhile, on a system without systemd you can let "sudo make install" partially complete (up to the point where it finds you're not using systemd) and then use: sudo modprobe p_lkrg to load the module. You can also put the "modprobe p_lkrg" command into a system startup script. --- With the 0.8 release being (hopefully) just around the corner, I think switching to /etc/modules-load.d/99-lkrg.conf is too invasive a change right now, but perhaps we can change the Before/After lines for now and plan on making further changes for 0.9. > I would suggest something like: > > After=systemd-modules-load.service # to make sure all other modules are loaded > Before=sysinit.target # to load LKRG as fast a possible Can you please test this suggestion of yours and confirm that it works? Thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.