Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Jul 2020 19:31:15 +0200
From: Solar Designer <solar@...nwall.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: <Exploit Detection> Process[modprobe] is trying to remove kernel module but does NOT have appropriate permissions!

Hi Mikhail,

There are two distinct issues:

On Tue, Jul 07, 2020 at 03:13:59PM +0200, Mikhail Morfikov wrote:
> I accidentally tested what would happen if I loaded the LKRG module and then
> blocked the sys_module capability (via AppArmor) for kmod. When I tried to 
> unload some module via "modprobe -r -v sysdig-probe" in such situation, I
> 
> got the following:
> 
> kernel: [p_lkrg] <Exploit Detection> Process[modprobe] | 209106] is trying to remove kernel module but does NOT have appropriate permissions! Killing...
[...]
> kernel: [p_lkrg] <Exploit Detection> Trying to kill process[modprobe] | 209106]!

I had just started to discuss this aspect with Adam privately shortly
before your posting.  This is a result of a check we have in place to
minimize the race window for exploits that might overwrite capabilities.
However, this visible effect of it without any exploit activity might be
a result of a misunderstanding between Adam and me from back when we
discussed this implementation a long time ago.  We might change things
now as a result of the renewed discussion we're having.

> kernel: BUG: kernel NULL pointer dereference, address: 0000000000000067

This is the LKRG bug I've just described in:

https://www.openwall.com/lists/lkrg-users/2020/07/07/4

> Should this happen? Is everything alright with it?

No, and no, but this was no longer news to us.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.