Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <76068f31-76ca-4186-9025-48dfd5be4a5c@h.wer.ee>
Date: Wed, 22 Apr 2026 22:58:00 -0700
From: h <h@...er.ee>
To: lkrg-users@...ts.openwall.com
Subject: Re: LKRG 1.0.1

I have been running lkrg from git via the lkrg-git AUR package on my 
desktop, which gets used in both desktop and server roles, for a while 
due to running into the issue with a solution described as "Fix possible 
livelock when freezing inter-dependent tasks on LKRG load (was observed 
with systemd-userd vs. proc-sys-fs-binfmt_misc.mount)" at one point, 
should I move to using a stable release of lkrg from now on until and 
unless I encounter more issues, or is it appreciated to have people 
running development builds in production?

On 4/22/26 10:43 PM, Solar Designer wrote:
> Hi,
>
> For those new to Linux Kernel Runtime Guard (LKRG), it is a kernel
> module that performs runtime integrity checking of the Linux kernel and
> detection of security vulnerability exploits against the kernel.
>
> We've just released LKRG 1.0.1, available on the LKRG project website:
>
> https://lkrg.org
>
> The following major changes have been made between LKRG 1.0.0 and 1.0.1:
>
>   *) Support Linux 6.19+ (tested up to and including 7.0)
>   *) Verify newly loaded modules do appear in the module list (catches e.g.
>      the Singularity rootkit hiding itself on load, stops it by kernel panic)
>   *) Try harder at killing compromised tasks (beyond SIGKILL sent by usual
>      means, so e.g. Singularity's attempt to suppress SIGKILL doesn't help it)
>   *) Replace inconsistent uses of notrace in the source files with removal of
>      trace-related CFLAGS in Makefile (so a rootkit can't place ftrace hooks on
>      LKRG functions, which an older revision of Singularity did)
>   *) Fix possible livelock when freezing inter-dependent tasks on LKRG load
>      (was observed with systemd-userd vs. proc-sys-fs-binfmt_misc.mount)
>   *) Fix possible use-after-free when accessing another task's shadow data on
>      kernels since 3.17 but below 4.20
>   *) Fix possible sleeping-in-atomic on lkrg.msr_validate sysctl updates
>   *) pCFI: Fix potential kernel stack out of bounds read (which didn't matter)
>   *) Fix possible seccomp deadlock when a thread's off flag is corrupted (which
>      can't happen without another issue or kernel compromise)
>
> While 3 items above mention the recently publicized Singularity rootkit,
> which "bypassed" LKRG, addressing this wasn't directly relevant for LKRG
> yet.  That's because LKRG is not currently meant to protect against
> kernel modules loaded by legitimate-looking root user, who could simply
> unload or reconfigure LKRG first (although doing so logs a message,
> including to a remote server if configured).  Rather, we took this
> opportunity and used Singularity as our reminder and test suite to
> identify areas for general hardening of LKRG, and to test such hardening
> changes.  This may also become directly relevant later, such as if we
> add unload and reconfiguration protection.
>
> I'd like to thank Matheu for creating and maintaining our new test
> suite, Singularity.  I see it has already been further updated two days
> ago, which may give us more ideas for hardening.  We keep track of these
> in a GitHub issue:
>
> https://github.com/lkrg-org/lkrg/issues/455
>
> There's not much change in codebase size this time:
>
> $ git diff --shortstat v1.0.0..v1.0.1
>   39 files changed, 441 insertions(+), 155 deletions(-)
>
> The changes this time are by the following people:
>
> $ git shortlog -sn v1.0.0..v1.0.1
>      16  Solar Designer
>       8  Adam 'pi3' Zabrocki
>       8  Sultan Alsawaf
>       1  Vitaly Chikunov
>
> So just our current development team.
>
> I'd like to credit CIQ for supporting my and Sultan's work towards this
> release.
>
> We've already updated the Rocky Linux SIG/Security package of LKRG to
> this new release, and our tested builds for 9.7 and 8.10 are about to be
> pushed out to the public, along with a pending edit of the wiki:
>
> https://sig-security.rocky.page
>
> This may take a day or two to become fully available.
>
> Rocky Linux SIG/Security yum/dnf repository and LKRG packages are also
> usable on other Enterprise Linux distributions (AlmaLinux 8 and 9, RHEL
> 8 and 9, etc.)
>
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.