Date: Tue, 7 Jul 2020 19:31:15 +0200 From: Solar Designer <solar@...nwall.com> To: lkrg-users@...ts.openwall.com Subject: Re: <Exploit Detection> Process[modprobe] is trying to remove kernel module but does NOT have appropriate permissions! Hi Mikhail, There are two distinct issues: On Tue, Jul 07, 2020 at 03:13:59PM +0200, Mikhail Morfikov wrote: > I accidentally tested what would happen if I loaded the LKRG module and then > blocked the sys_module capability (via AppArmor) for kmod. When I tried to > unload some module via "modprobe -r -v sysdig-probe" in such situation, I > > got the following: > > kernel: [p_lkrg] <Exploit Detection> Process[modprobe] | 209106] is trying to remove kernel module but does NOT have appropriate permissions! Killing... [...] > kernel: [p_lkrg] <Exploit Detection> Trying to kill process[modprobe] | 209106]! I had just started to discuss this aspect with Adam privately shortly before your posting. This is a result of a check we have in place to minimize the race window for exploits that might overwrite capabilities. However, this visible effect of it without any exploit activity might be a result of a misunderstanding between Adam and me from back when we discussed this implementation a long time ago. We might change things now as a result of the renewed discussion we're having. > kernel: BUG: kernel NULL pointer dereference, address: 0000000000000067 This is the LKRG bug I've just described in: https://www.openwall.com/lists/lkrg-users/2020/07/07/4 > Should this happen? Is everything alright with it? No, and no, but this was no longer news to us. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.