Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250830052840.GA31011@openwall.com>
Date: Sat, 30 Aug 2025 07:28:40 +0200
From: Solar Designer <solar@...nwall.com>
To: lkrg-users@...ts.openwall.com
Subject: Testing for 1.0

Dear LKRG user community,

The current code in our git repo can be considered a release candidate
for LKRG 1.0, to be released real soon now.  We'd greatly appreciate
more testing, and any results of such testing (both successes and
failures/issues) reported promptly.

GitHub repo:

https://github.com/lkrg-org/lkrg

"Issue" opened for tracking this testing effort:

https://github.com/lkrg-org/lkrg/issues/423

This release is about improved robustness, cleaning things up a bit,
speeding up a bit, and compatibility with more kernels/builds.
Hopefully, we'll proceed with more security features afterwards,
although even more cleanups are still badly needed as well.

Here's what we have right now:

The following major changes have been made since 0.9.9:

 *) Support Linux 6.13+ by not hooking {override,revert}_creds() anymore, and
    limiting detection of cred pointer overwrite attacks on those kernels
 *) To compensate for the above and as an enhancement on older kernels, check
    for cred pointer overwrites in certain other places where we did not before
 *) Do not track those credentials that we currently do not validate anyway
 *) Support (or rather be compatible with the kernel's use of) Intel CET IBT
    (CONFIG_X86_KERNEL_IBT) and/or KCFI (CONFIG_CFI_CLANG) for now on x86_64
 *) Switch many hooks from kretprobes to simple kprobes for greater reliability
    and improved performance
 *) Overhaul locking of per-task shadow data, using finer-grain locks
 *) Improve performance of per-task shadow data lookups by making them lockless
 *) Fix several lethal race conditions involving SECCOMP_FILTER_FLAG_TSYNC
 *) Fix integrity violation misattribution to a wrong task when pint_enforce=0
 *) Fix several integrity violation race conditions when pint_enforce=0
 *) Fix race condition (possible NULL dereference) with namespace validation
 *) Fix race condition on msr_validate sysctl changes as well as on transitions
    between profile_validate=4 and others
 *) Make kprobes testing via LKRG's own dummy function hooking optional (works
    around issue seen on recent Gentoo)
 *) Build and link the userspace logger tools with hardening flags, and pass
    distributions' RPM packaging hardening flags to the compiler and linker
 *) lkrg-logctl: Support and report continuation lines (an extra one-character
    field indicating whether the line is a new message or a continuation)
 *) lkrg-logger: Make logs group-readable

$ git diff v0.9.9 --shortstat
 143 files changed, 2180 insertions(+), 4569 deletions(-)

So quite a lot of changes (and I now see the above misses info on some
important ones, so may add), but LKRG became significantly smaller while
maintaining same functionality and a bit more.

Thank you!

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.