Date: Wed, 8 Jul 2020 16:21:47 +0200 From: Mikhail Morfikov <mmorfikov@...il.com> To: lkrg-users@...ts.openwall.com Subject: Re: <Exploit Detection> Process[modprobe] is trying to remove kernel module but does NOT have appropriate permissions! On 08/07/2020 15.38, Solar Designer wrote: > > These messages will be gone with the below commit I've just pushed: > > commit ccd71872c5f767b418ffd40b6c113c4ee455df03 > Author: Solar Designer <solar@...nwall.com> > Date: Wed Jul 8 15:26:20 2020 +0200 > > Drop init_module() and delete_module() syscall hooks > > ... > > We'd appreciate testing of LKRG with the above commit included - install > on the system, reboot it, etc. I expect no issues, but that no reason > to skip testing. > It looks like it works well now. With the sys_module CAP blocked for kmod, I get: # modprobe -r -v p_lkrg rmmod p_lkrg modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove 'p_lkrg': Operation not permitted And in the syslog I have just: kernel: audit: type=1400 audit(1594217867.451:16126): apparmor="DENIED" operation="capable" profile="kmod" pid=837012 comm="modprobe" capability=16 capname="sys_module" Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.