Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 23 Aug 2022 21:27:38 +0200
From: Solar Designer <solar@...nwall.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: how to guard a kernel module

Hi,

On Tue, Aug 23, 2022 at 10:20:13AM +0800, ??????(??????) wrote:
> I have a security related module , which is compiled as CONFIG_XYZ=m. And I want to monitor and guard it with LKRG, just as that LKRG guards SELinux and Seccomp.
> I added some codes to LKRG , and wrapped them by #ifdef CONFIG_XYZ ... #endif, but this seemed to not work.

If you integrated your module into the kernel tree and are building LKRG
against kernel headers from that configured tree, it should work.
Otherwise, it should not.  Your "seemed to not work" is non-specific -
does the code within the #ifdef CONFIG_XYZ ... #endif get compiled at
all?  You can test by temporarily introducing a #error in there.

> I also tried if(!strcmp(CONFIG_XYZ, "m")), but error occurred

Of course.  This shouldn't work.

> as "error: 'CONFIG_XYZ' undeclared (first use in this function);".

While the above was very wrong and shouldn't have worked anyway, the
specific error message tells us that CONFIG_XYZ was also not defined as
a preprocessor macro, which it should have been.  (If it were, the error
or maybe warning message here would have been different.)

My best guess is you're not building LKRG against the right kernel
headers, or they're from a non-configured kernel tree.

> Maybe this issue has little to do with LKRG, and I am sorry if bothering you.

Yes, the above has almost nothing to do with LKRG.

> Any suggestion is very appreciated.

LKRG protects other modules' code and read-only data on its own.  As to
also protecting your module's global variables - which you seem to want,
given your examples - you could instead introduce a usually-read-only
page within your module, similar to LKRG's "p_ro".  Then your module can
protect it to the same extent that LKRG protects its.  However, you
might find implementing a usually-read-only page like that, and doing it
right, too difficult.  So this is just to give you an alternative.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.