Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180205225058.GA4444@pi3.com.pl>
Date: Mon, 5 Feb 2018 23:50:58 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: LKRG Debian jessie

Hi,

On Mon, Feb 05, 2018 at 06:01:31PM +0100, Xavier Sheperd wrote:
> Hi guys,
> 
> Thank you for all the hard work you put in this project.
> 

Thank you for your appreciation :)


> I'm trying to install LKRG on a Debian Jessie machine with these specs (some
> output stripped):
> # uname -a
> Linux marcelini 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux
> 
> # cat /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
> NAME="Debian GNU/Linux"
> VERSION_ID="8"
> VERSION="8 (jessie)"
> 
> # gcc --version
> gcc (Debian 4.9.2-10) 4.9.2
> 

Debian is using very stripped kernel any a lot of functionality is not exposed 
even to the kernel modules (like LKRG is). Their kernel is pretty hard to work 
on but it is possible to customize LKRG and force it to run.


> On first attempt the module compiles but it fails to load, yielding the
> message:
> 
> p_lkrg: Unknown symbol usb_unregister_notify (err 0)
> p_lkrg: Unknown symbol usb_register_notify (err 0)
> 
> After removing the calls to usb_register_notify and usb_unregister_notify[0],
> the module builds with a warning[1] and I get a "Can't find 'selinux_enforcing'
> variable" error[2].
> 
> Any hints are greatly appreciated.
> 
> Xavier
> 

Some of the notifiers are being removed from the kernel (or at least symbols) 
by custom distro patches but without changing the #ifdef definitions. One of 
the example could be not exposing SELinux variables but still keeping #ifdef 
SELINUX not-touched. This is what heppend in you case. Same might happend to 
the USB notifiers and you did a correct work to 'mask' them.

It looks like you're using experimental branch and as branch name says it's 
'experimental' so please take this into account ;-) Some of the recent "main" 
branch changes I didn't have time to backport into "experimental" branch yet. 
But this is in my TODO list.

I've prepared very 'hacky' patch for LKRG which should work on Debian 8 but I 
won't give any warranty of it. But you can use it to play with LKRG 
experimental branch. I believe if you could switch to different distro which do 
not use as stripped kernel you won't have as many problem. The 'hackish' patch 
commenting out these symbols which my debian instance doesn't see + extract 
necessary metadata from the LKRG  module itself to force it to run under debian 
kernel even they don't expose what LKRG requires (but they should!).

Please find out the hacky patch in attachment and apply it on the top of your 
changes.

Thanks,
Adam

> [0] usb_notifier.patch 
> [1] build.log
> [2] kern.log

> make -C /lib/modules/3.16.0-5-amd64/build M=/root/lkrg-experimental modules
> make[1]: Entering directory '/usr/src/linux-headers-3.16.0-5-amd64'
> make[1]: Entering directory `/usr/src/linux-headers-3.16.0-5-amd64'
>   CC [M]  /root/lkrg-experimental/src/modules/ksyms/p_resolve_ksym.o
>   CC [M]  /root/lkrg-experimental/src/modules/hashing/p_crypto_sha1.o
>   CC [M]  /root/lkrg-experimental/src/modules/hashing/p_lkrg_fast_hash.o
>   CC [M]  /root/lkrg-experimental/src/modules/wrap/p_struct_wrap.o
>   CC [M]  /root/lkrg-experimental/src/modules/integrity_timer/p_integrity_timer.o
>   CC [M]  /root/lkrg-experimental/src/modules/kmod/p_kmod.o
>   CC [M]  /root/lkrg-experimental/src/modules/database/CPU.o
>   CC [M]  /root/lkrg-experimental/src/modules/database/arch/x86/IDT_MSR_CRx.o
>   CC [M]  /root/lkrg-experimental/src/modules/database/p_database.o
>   CC [M]  /root/lkrg-experimental/src/modules/notifiers/p_notifiers.o
>   CC [M]  /root/lkrg-experimental/src/modules/self-defense/hiding/p_hiding.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/p_rb_trees/p_rb_pids/p_rb_pids_tree.o
> /root/lkrg-experimental/src/modules/notifiers/p_notifiers.c:90:30: warning: ‘p_usb_notifier_nb’ defined but not used [-Wunused-variable]
>  static struct notifier_block p_usb_notifier_nb = {
>                               ^
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/p_rb_trees/p_rb_inodes/p_rb_inodes_tree.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/p_rb_trees/p_rb_p_inodes/p_rb_p_inodes_tree.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_sys_ptrace/p_sys_ptrace.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_sys_execve/p_sys_execve.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_sys_execveat/p_sys_execveat.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_do_exit/p_do_exit.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_do_fork/p_do_fork.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_signal_wrappers/p_sys_tgkill/p_sys_tgkill.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_signal_wrappers/p_sys_tkill/p_sys_tkill.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_signal_wrappers/p_sys_kill/p_sys_kill.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_signal_wrappers/p_sys_rt_sigqueueinfo/p_sys_rt_sigqueueinfo.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/p_signal_wrappers/p_sys_rt_tgsigqueueinfo/p_sys_rt_tgsigqueueinfo.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/protected_files_func/p_may_open/p_may_open.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/protected_process_func/p_write_enabled_file_bool/p_write_enabled_file_bool.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/protected_process_func/p_process_vm_rw/p_process_vm_rw.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/protected_process_func/p_kprobe_seq_start/p_kprobe_seq_start.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/compat/p_compat_sys_ptrace/p_compat_sys_ptrace.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/compat/p_compat_process_vm_rw/p_compat_process_vm_rw.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/compat/p_compat_sys_rt_sigqueueinfo/p_compat_sys_rt_sigqueueinfo.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/syscalls/compat/p_compat_sys_rt_tgsigqueueinfo/p_compat_sys_rt_tgsigqueueinfo.o
>   CC [M]  /root/lkrg-experimental/src/modules/protected_features/p_protected_API.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setuid/p_sys_setuid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setreuid/p_sys_setreuid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setresuid/p_sys_setresuid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setfsuid/p_sys_setfsuid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setgid/p_sys_setgid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setregid/p_sys_setregid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setresgid/p_sys_setresgid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setfsgid/p_sys_setfsgid.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_setgroups/p_sys_setgroups.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_do_init_module/p_do_init_module.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_finit_module/p_sys_finit_module.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_delete_module/p_sys_delete_module.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sel_write_enforce/p_sel_write_enforce.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_sys_unshare/p_sys_unshare.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/p_userns_install/p_userns_install.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/caps/p_sys_capset/p_sys_capset.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/caps/p_cap_task_prctl/p_cap_task_prctl.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/keyring/p_lookup_user_key/p_lookup_user_key.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/keyring/p_key_change_session_keyring/p_key_change_session_keyring.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/keyring/p_sys_keyctl/p_sys_keyctl.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.o
>   CC [M]  /root/lkrg-experimental/src/modules/exploit_detection/p_exploit_detection.o
>   CC [M]  /root/lkrg-experimental/src/p_lkrg_main.o
>   LD [M]  /root/lkrg-experimental/p_lkrg.o
>   Building modules, stage 2.
>   MODPOST 1 modules
>   CC      /root/lkrg-experimental/p_lkrg.mod.o
>   LD [M]  /root/lkrg-experimental/p_lkrg.ko
> make[1]: Leaving directory '/usr/src/linux-headers-3.16.0-5-amd64'
> make -C /lib/modules/3.16.0-5-amd64/build M=/root/lkrg-experimental/src/modules/kmod/client/kmod modules
> make[1]: Entering directory '/usr/src/linux-headers-3.16.0-5-amd64'
> make[1]: Entering directory `/usr/src/linux-headers-3.16.0-5-amd64'
>   CC [M]  /root/lkrg-experimental/src/modules/kmod/client/kmod/src/p_lkrg_cli.o
>   LD [M]  /root/lkrg-experimental/src/modules/kmod/client/kmod/p_lkrg_kmod_cli.o
>   Building modules, stage 2.
>   MODPOST 1 modules
>   CC      /root/lkrg-experimental/src/modules/kmod/client/kmod/p_lkrg_kmod_cli.mod.o
>   LD [M]  /root/lkrg-experimental/src/modules/kmod/client/kmod/p_lkrg_kmod_cli.ko
> make[1]: Leaving directory '/usr/src/linux-headers-3.16.0-5-amd64'
> gcc -Wall -ggdb src/modules/kmod/client/cli/p_lkrg-client.c -o p_lkrg-client
> mkdir -p "output/client/cli"
> mkdir -p "output/client/kmod"
> mv /root/lkrg-experimental/p_lkrg.ko "output"
> mv /root/lkrg-experimental/p_lkrg-client "output/client/cli"
> mv /root/lkrg-experimental/src/modules/kmod/client/kmod/"p_lkrg_kmod_cli.ko" "output/client/kmod"

> Feb  5 15:28:19 marcelini kernel: [53511532.800445] [p_lkrg] Loading LKRG...
> Feb  5 15:28:19 marcelini kernel: [53511532.801229] [p_lkrg] Entering function <get_kallsyms_address>
> Feb  5 15:28:19 marcelini kernel: [53511532.802563] [p_lkrg] kallsyms_on_each_symbol() returned => 0x810dc4f0
> Feb  5 15:28:19 marcelini kernel: [53511532.803216] [p_lkrg] Leaving function <get_kallsyms_address> (p_ret => 0)
> Feb  5 15:28:19 marcelini kernel: [53511532.803902] [p_lkrg] Entering function <p_exploit_detection_init>
> Feb  5 15:28:19 marcelini kernel: [53511532.811517] [p_lkrg] [ED] ERROR: Can't find 'selinux_enforcing' variable :( Exiting...
> Feb  5 15:28:19 marcelini kernel: [53511532.812192] [p_lkrg] Leaving function <p_exploit_detection_init> (p_ret => -1)
> Feb  5 15:28:19 marcelini kernel: [53511532.812858] [p_lkrg] Can't initialize exploit detection features! Exiting...
> Feb  5 15:28:19 marcelini kernel: [53511532.813524] [p_lkrg] Entering function <p_protected_features_exit>
> Feb  5 15:28:19 marcelini kernel: [53511532.814196] [p_lkrg] Entering function <p_uninstall_sys_ptrace_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.814852] [p_lkrg] [kretprobe] <sys_ptrace> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.814853] [p_lkrg] Leaving function <p_uninstall_sys_ptrace_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.815531] [p_lkrg] Entering function <p_uninstall_sys_execve_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.816185] [p_lkrg] [kretprobe] <sys_execve> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.816187] [p_lkrg] Leaving function <p_uninstall_sys_execve_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.816835] [p_lkrg] Entering function <p_uninstall_do_exit_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.817481] [p_lkrg] [kretprobe] <do_exit> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.817482] [p_lkrg] Leaving function <p_uninstall_do_exit_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.818135] [p_lkrg] Entering function <p_uninstall_do_fork_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.818780] [p_lkrg] [kretprobe] <do_fork> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.818782] [p_lkrg] Leaving function <p_uninstall_do_fork_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.819424] [p_lkrg] Entering function <p_uninstall_sys_tgkill_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.820093] [p_lkrg] [kretprobe] <sys_tgkill> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.820095] [p_lkrg] Leaving function <p_uninstall_sys_tgkill_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.820739] [p_lkrg] Entering function <p_uninstall_sys_tkill_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.821386] [p_lkrg] [kretprobe] <sys_tkill> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.821387] [p_lkrg] Leaving function <p_uninstall_sys_tkill_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.822025] [p_lkrg] Entering function <p_uninstall_sys_kill_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.822658] [p_lkrg] [kretprobe] <sys_kill> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.822659] [p_lkrg] Leaving function <p_uninstall_sys_kill_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.823289] [p_lkrg] Entering function <p_uninstall_sys_rt_sigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.823953] [p_lkrg] [kretprobe] <sys_rt_sigqueueinfo> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.823954] [p_lkrg] Leaving function <p_uninstall_sys_rt_sigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.824592] [p_lkrg] Entering function <p_uninstall_sys_rt_tgsigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.825227] [p_lkrg] [kretprobe] <sys_rt_tgsigqueueinfo> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.825228] [p_lkrg] Leaving function <p_uninstall_sys_rt_tgsigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.825862] [p_lkrg] Entering function <p_uninstall_may_open_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.826490] [p_lkrg] [kretprobe] <may_open> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.826491] [p_lkrg] Leaving function <p_uninstall_may_open_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.827126] [p_lkrg] Entering function <p_uninstall_write_enabled_file_bool_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.827783] [p_lkrg] [kretprobe] <write_enabled_file_bool> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.827785] [p_lkrg] Leaving function <p_uninstall_write_enabled_file_bool_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.828422] [p_lkrg] Entering function <p_uninstall_process_vm_rw_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.829057] [p_lkrg] [kretprobe] <process_vm_rw> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.829058] [p_lkrg] Leaving function <p_uninstall_process_vm_rw_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.829695] [p_lkrg] Entering function <p_uninstall_compat_sys_execve_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.830352] [p_lkrg] [kretprobe] <compat_sys_execve> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.830353] [p_lkrg] Leaving function <p_uninstall_compat_sys_execve_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.831013] [p_lkrg] Entering function <p_uninstall_compat_sys_ptrace_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.831693] [p_lkrg] [kretprobe] <compat_sys_ptrace> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.831695] [p_lkrg] Leaving function <p_uninstall_compat_sys_ptrace_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.832355] [p_lkrg] Entering function <p_uninstall_compat_process_vm_rw_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.833019] [p_lkrg] [kretprobe] <compat_process_vm_rw> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.833020] [p_lkrg] Leaving function <p_uninstall_compat_process_vm_rw_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.833686] [p_lkrg] Entering function <p_uninstall_compat_sys_rt_sigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.834366] [p_lkrg] [kretprobe] <compat_sys_rt_sigqueueinfo> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.834368] [p_lkrg] Leaving function <p_uninstall_compat_sys_rt_sigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.835042] [p_lkrg] Entering function <p_uninstall_compat_sys_rt_tgsigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.835749] [p_lkrg] [kretprobe] <compat_sys_rt_tgsigqueueinfo> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.835755] [p_lkrg] Leaving function <p_uninstall_compat_sys_rt_tgsigqueueinfo_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.836434] [p_lkrg] Entering function <p_delete_rb_pids>
> Feb  5 15:28:19 marcelini kernel: [53511532.837103] [p_lkrg] Leaving function <p_delete_rb_pids>
> Feb  5 15:28:19 marcelini kernel: [53511532.837766] [p_lkrg] kmem_cache "protected_pids" destroyed!
> Feb  5 15:28:19 marcelini kernel: [53511532.837767] [p_lkrg] Entering function <p_delete_rb_inodes>
> Feb  5 15:28:19 marcelini kernel: [53511532.838442] [p_lkrg] Leaving function <p_delete_rb_inodes>
> Feb  5 15:28:19 marcelini kernel: [53511532.839107] [p_lkrg] kmem_cache "protected_inodes" destroyed!
> Feb  5 15:28:19 marcelini kernel: [53511532.839108] [p_lkrg] Entering function <p_delete_rb_p_inodes>
> Feb  5 15:28:19 marcelini kernel: [53511532.839796] [p_lkrg] Leaving function <p_delete_rb_p_inodes>
> Feb  5 15:28:19 marcelini kernel: [53511532.840459] [p_lkrg] kmem_cache "protected_p_inodes" destroyed!
> Feb  5 15:28:19 marcelini kernel: [53511532.840460] [p_lkrg] Leaving function <p_protected_features_exit>
> Feb  5 15:28:19 marcelini kernel: [53511532.841124] [p_lkrg] Entering function <p_exploit_detection_exit>
> Feb  5 15:28:19 marcelini kernel: [53511532.841780] [p_lkrg] Entering function <p_uninstall_sys_setuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.842430] [p_lkrg] [kretprobe] <sys_setuid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.842431] [p_lkrg] Leaving function <p_uninstall_sys_setuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.843090] [p_lkrg] Entering function <p_uninstall_sys_setreuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.843769] [p_lkrg] [kretprobe] <sys_setreuid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.843770] [p_lkrg] Leaving function <p_uninstall_sys_setreuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.844424] [p_lkrg] Entering function <p_uninstall_sys_setresuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.845082] [p_lkrg] [kretprobe] <sys_setresuid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.845083] [p_lkrg] Leaving function <p_uninstall_sys_setresuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.845741] [p_lkrg] Entering function <p_uninstall_sys_setfsuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.846409] [p_lkrg] [kretprobe] <sys_setfsuid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.846411] [p_lkrg] Leaving function <p_uninstall_sys_setfsuid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.847072] [p_lkrg] Entering function <p_uninstall_sys_setgid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.847753] [p_lkrg] [kretprobe] <sys_setgid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.847755] [p_lkrg] Leaving function <p_uninstall_sys_setgid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.848412] [p_lkrg] Entering function <p_uninstall_sys_setregid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.849065] [p_lkrg] [kretprobe] <sys_setregid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.849066] [p_lkrg] Leaving function <p_uninstall_sys_setregid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.849725] [p_lkrg] Entering function <p_uninstall_sys_setresgid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.850375] [p_lkrg] [kretprobe] <sys_setresgid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.850376] [p_lkrg] Leaving function <p_uninstall_sys_setresgid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.851038] [p_lkrg] Entering function <p_uninstall_sys_setfsgid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.851716] [p_lkrg] [kretprobe] <sys_setfsgid> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.851718] [p_lkrg] Leaving function <p_uninstall_sys_setfsgid_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.852349] [p_lkrg] Entering function <p_uninstall_sys_setgroups_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.852997] [p_lkrg] [kretprobe] <sys_setgroups> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.853006] [p_lkrg] Leaving function <p_uninstall_sys_setgroups_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.853646] [p_lkrg] Entering function <p_uninstall_do_init_module_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.854286] [p_lkrg] [kretprobe] <sys_init_module> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.854288] [p_lkrg] Leaving function <p_uninstall_do_init_module_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.854925] [p_lkrg] Entering function <p_uninstall_sys_finit_module_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.855587] [p_lkrg] [kretprobe] <sys_finit_module> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.855589] [p_lkrg] Leaving function <p_uninstall_sys_finit_module_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.856227] [p_lkrg] Entering function <p_uninstall_sys_delete_module_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.856863] [p_lkrg] [kretprobe] <sys_delete_module> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.856864] [p_lkrg] Leaving function <p_uninstall_sys_delete_module_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.857499] [p_lkrg] Entering function <p_uninstall_sel_write_enforce_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.858139] [p_lkrg] [kretprobe] <sel_write_enforce> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.858141] [p_lkrg] Leaving function <p_uninstall_sel_write_enforce_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.858769] [p_lkrg] Entering function <p_uninstall_seccomp_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.859391] [p_lkrg] [kretprobe] <prctl_set_seccomp> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.859392] [p_lkrg] Leaving function <p_uninstall_seccomp_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.860024] [p_lkrg] Entering function <p_uninstall_sys_unshare_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.860644] [p_lkrg] [kretprobe] <sys_unshare> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.860645] [p_lkrg] Leaving function <p_uninstall_sys_unshare_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.861269] [p_lkrg] Entering function <p_uninstall_userns_install_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.861898] [p_lkrg] [kretprobe] <userns_install> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.861899] [p_lkrg] Leaving function <p_uninstall_userns_install_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.862523] [p_lkrg] Entering function <p_uninstall_sys_capset_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.863149] [p_lkrg] [kretprobe] <sys_capset> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.863149] [p_lkrg] Leaving function <p_uninstall_sys_capset_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.863801] [p_lkrg] Entering function <p_uninstall_cap_task_prctl_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.864441] [p_lkrg] [kretprobe] <cap_task_prctl> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.864442] [p_lkrg] Leaving function <p_uninstall_cap_task_prctl_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.865083] [p_lkrg] Entering function <p_uninstall_lookup_user_key_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.865734] [p_lkrg] [kretprobe] <lookup_user_key> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.865735] [p_lkrg] Leaving function <p_uninstall_lookup_user_key_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.866393] [p_lkrg] Entering function <p_uninstall_key_change_session_keyring_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.867052] [p_lkrg] [kretprobe] <key_change_session_keyring> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.867054] [p_lkrg] Leaving function <p_uninstall_key_change_session_keyring_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.867740] [p_lkrg] Entering function <p_uninstall_sys_keyctl_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.868405] [p_lkrg] [kretprobe] <sys_keyctl> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.868406] [p_lkrg] Leaving function <p_uninstall_sys_keyctl_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.869074] [p_lkrg] Entering function <p_uninstall_compat_sys_keyctl_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.869742] [p_lkrg] [kretprobe] <compat_sys_keyctl> at 0x          (null) is NOT installed
> Feb  5 15:28:19 marcelini kernel: [53511532.869743] [p_lkrg] Leaving function <p_uninstall_compat_sys_keyctl_hook>
> Feb  5 15:28:19 marcelini kernel: [53511532.870420] [p_lkrg] Entering function <p_delete_rb_ed_pids>
> Feb  5 15:28:19 marcelini kernel: [53511532.871094] [p_lkrg] Leaving function <p_delete_rb_ed_pids>
> Feb  5 15:28:19 marcelini kernel: [53511532.871780] [p_lkrg] kmem_cache "p_ed_pids" destroyed!
> Feb  5 15:28:19 marcelini kernel: [53511532.871782] [p_lkrg] Leaving function <p_exploit_detection_exit>
> Feb  5 15:28:19 marcelini kernel: [53511532.872469] [p_lkrg] Entering function <p_offload_cache_delete>
> Feb  5 15:28:19 marcelini kernel: [53511532.873571] [p_lkrg] Leaving function <p_offload_cache_delete>

> diff --git a/src/modules/notifiers/p_notifiers.c b/src/modules/notifiers/p_notifiers.c
> index b5aab58..e02a13d 100644
> --- a/src/modules/notifiers/p_notifiers.c
> +++ b/src/modules/notifiers/p_notifiers.c
> @@ -118,7 +118,6 @@ void p_register_notifiers(void) {
>     task_handoff_register(&p_taskfree_notifier_nb);
>     profile_event_register(PROFILE_TASK_EXIT, &p_profile_event_exit_notifier_nb);
>     profile_event_register(PROFILE_MUNMAP, &p_profile_event_munmap_notifier_nb);
> -   usb_register_notify(&p_usb_notifier_nb);
>     register_acpi_notifier(&p_acpi_notifier_nb);
>  
>  
> @@ -348,7 +347,6 @@ void p_deregister_notifiers(void) {
>     task_handoff_unregister(&p_taskfree_notifier_nb);
>     profile_event_unregister(PROFILE_TASK_EXIT, &p_profile_event_exit_notifier_nb);
>     profile_event_unregister(PROFILE_MUNMAP, &p_profile_event_munmap_notifier_nb);
> -   usb_unregister_notify(&p_usb_notifier_nb);
>     unregister_acpi_notifier(&p_acpi_notifier_nb);
>  
>  // STRONG_DEBUG


-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

View attachment "p_debian_weirdness.diff" of type "text/plain" (10340 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.