Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200708133807.GA8575@openwall.com>
Date: Wed, 8 Jul 2020 15:38:07 +0200
From: Solar Designer <solar@...nwall.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: <Exploit Detection> Process[modprobe] is trying to remove kernel module but does NOT have appropriate permissions!

On Tue, Jul 07, 2020 at 07:31:15PM +0200, Solar Designer wrote:
> On Tue, Jul 07, 2020 at 03:13:59PM +0200, Mikhail Morfikov wrote:
> > I accidentally tested what would happen if I loaded the LKRG module and then
> > blocked the sys_module capability (via AppArmor) for kmod. When I tried to 
> > unload some module via "modprobe -r -v sysdig-probe" in such situation, I
> > 
> > got the following:
> > 
> > kernel: [p_lkrg] <Exploit Detection> Process[modprobe] | 209106] is trying to remove kernel module but does NOT have appropriate permissions! Killing...
> [...]
> > kernel: [p_lkrg] <Exploit Detection> Trying to kill process[modprobe] | 209106]!
> 
> I had just started to discuss this aspect with Adam privately shortly
> before your posting.  This is a result of a check we have in place to
> minimize the race window for exploits that might overwrite capabilities.
> However, this visible effect of it without any exploit activity might be
> a result of a misunderstanding between Adam and me from back when we
> discussed this implementation a long time ago.  We might change things
> now as a result of the renewed discussion we're having.

These messages will be gone with the below commit I've just pushed:

commit ccd71872c5f767b418ffd40b6c113c4ee455df03
Author: Solar Designer <solar@...nwall.com>
Date:   Wed Jul 8 15:26:20 2020 +0200

    Drop init_module() and delete_module() syscall hooks

It's my first direct commit to there (not going via Adam).  I went ahead
and did this because we had agreed with Adam that the delete_module()
hooks were no longer needed much now that we hook capable(), and the
init_module() ones are similar in this respect.

Patrick might be unhappy that this commit isn't signed, but it only
deletes lines without adding anything, and I expect we'll only make
cosmetic and documentation changes before pushing out 0.8.1 shortly.

Adam's availability these days is limited, so I have to substitute for
him in finishing this bug fix release.

We'd appreciate testing of LKRG with the above commit included - install
on the system, reboot it, etc.  I expect no issues, but that no reason
to skip testing.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.