Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 14 Dec 2022 17:46:07 +0100
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, lkrg-users@...ts.openwall.com
Subject: LKRG 0.9.6

Hi,

For those new to Linux Kernel Runtime Guard (LKRG), it is a kernel
module that performs runtime integrity checking of the Linux kernel and
detection of security vulnerability exploits against the kernel.

We've just released LKRG 0.9.6, available on the LKRG project website:

https://lkrg.org

The following major changes have been made between LKRG 0.9.5 and 0.9.6:

 *) Support new mainline kernels 6.1-rc*, 6.1, and hopefully beyond
 *) Support kernels 5.19 and beyond on AArch64
 *) Support new RHEL 8.6 update and RHEL 8.7 kernels
 *) Support new CentOS Stream 9 aka upcoming RHEL 9.2 kernels
 *) Add a couple of distros' default pathnames to usermodehelper allow list
 *) Validate tasks' real UIDs/GIDs even when effective ones pass validation
    (previously, this check was normally bypassed as an optimization)
 *) Add synchronization logic around sysctl updates and other module (un)loads
    (previously, some concurrent events of this sort could lead to a crash on
    attempting to write to our read-only page)
 *) Test whether kretprobes work correctly at LKRG loading time and re-test
    periodically (previously, LKRG would only detect disabling of kretprobes
    after it's loaded, and only indirectly - through kernel code hash changes)
 *) Set kretprobes' maxactive based on actual number of possible logical CPUs
    (previously, we used a hard-coded value, which would more likely result in
    missed hook function invocations on systems with more CPUs)
 *) Continuous Integration updates, including testing on AArch64

We are lucky that our previous release, LKRG 0.9.5, worked as-is on
newer mainline kernels up to 6.0 on x86-64.  However, for compatibility
with 6.1-rc* and beyond we had to make changes.  Also, we found we had
overlooked a compatibility issue with 5.19+ on AArch64, now addressed.

Overall, the changes this time are not very extensive, although they
span a lot of the source files:

$ git diff --shortstat v0.9.5..v0.9.6
 73 files changed, 352 insertions(+), 207 deletions(-)

They are by the following people:

$ git shortlog -sn v0.9.5..v0.9.6
     9  Solar Designer
     4  Adam 'pi3' Zabrocki
     2  Vitaly Chikunov
     2  Vladimir D. Seleznev
     2  redp
     1  mrl5

In related news, LKRG is now packaged in Guix and NixOS.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.