Date: Wed, 8 Jul 2020 15:38:07 +0200 From: Solar Designer <solar@...nwall.com> To: lkrg-users@...ts.openwall.com Subject: Re: <Exploit Detection> Process[modprobe] is trying to remove kernel module but does NOT have appropriate permissions! On Tue, Jul 07, 2020 at 07:31:15PM +0200, Solar Designer wrote: > On Tue, Jul 07, 2020 at 03:13:59PM +0200, Mikhail Morfikov wrote: > > I accidentally tested what would happen if I loaded the LKRG module and then > > blocked the sys_module capability (via AppArmor) for kmod. When I tried to > > unload some module via "modprobe -r -v sysdig-probe" in such situation, I > > > > got the following: > > > > kernel: [p_lkrg] <Exploit Detection> Process[modprobe] | 209106] is trying to remove kernel module but does NOT have appropriate permissions! Killing... > [...] > > kernel: [p_lkrg] <Exploit Detection> Trying to kill process[modprobe] | 209106]! > > I had just started to discuss this aspect with Adam privately shortly > before your posting. This is a result of a check we have in place to > minimize the race window for exploits that might overwrite capabilities. > However, this visible effect of it without any exploit activity might be > a result of a misunderstanding between Adam and me from back when we > discussed this implementation a long time ago. We might change things > now as a result of the renewed discussion we're having. These messages will be gone with the below commit I've just pushed: commit ccd71872c5f767b418ffd40b6c113c4ee455df03 Author: Solar Designer <solar@...nwall.com> Date: Wed Jul 8 15:26:20 2020 +0200 Drop init_module() and delete_module() syscall hooks It's my first direct commit to there (not going via Adam). I went ahead and did this because we had agreed with Adam that the delete_module() hooks were no longer needed much now that we hook capable(), and the init_module() ones are similar in this respect. Patrick might be unhappy that this commit isn't signed, but it only deletes lines without adding anything, and I expect we'll only make cosmetic and documentation changes before pushing out 0.8.1 shortly. Adam's availability these days is limited, so I have to substitute for him in finishing this bug fix release. We'd appreciate testing of LKRG with the above commit included - install on the system, reboot it, etc. I expect no issues, but that no reason to skip testing. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.