|
Message-ID: <20180731205225.GA28270@pi3.com.pl> Date: Tue, 31 Jul 2018 22:52:25 +0200 From: Adam Zabrocki <pi3@....com.pl> To: lkrg-users@...ts.openwall.com Subject: Re: Fw: firejail and grsecurity compatibility Hello, It is possible that you have been exploited but at the same time you might hit some FP in LKRG which we are not aware of. From the description which you gave it sounds more like some bug in firejail / Chrome / pulseaudio which might confused LKRG and resulted in FPs - but it's difficult to make any strong conclusion. Can you please provie more informations? - Which kernel did you use? - Is it customized compilation? - Is it SMP machine? - What version of LKRG did you use? - Can you repro this scenario? - If you see similar situation can you change the log_level to be at least 4 - LKRG will print more detailed information what's going on > Also, is lkrg compatible with grsecurity? As long as KRETPROBE is supported by kernel, LKRG should be compatible with grsec (nevertheless I didn't make extensive tests on that) > have you tried running it on android? LKRG consists from 2 main features - runtime Code Integrity (CI) and Exploit Detection (ED). ED will work anywhere where KRETPROBE is supported - independed on CPU architecture. As far as I'm aware of Android kernels support KRETPROBEs on ARM so there shouldn't be any problem with that. Unfortunately, runtime CI is depended on CPU architecture and currently only x86 and amd64 are supported. Android devices run on ARM so currently CI won't be able to run there. Nevertheless we are planning to bring ARM support for runtime CI in the future. Thanks, Adam On Tue, Jul 31, 2018 at 03:37:16AM +0000, vapnik spaknik wrote: > OK, here is a further update on my previous message:I tried killing all programs running in firejails, but one of the firejails persisted. Running "firejail --list" indicated it containing chromium-browser which was running pulseaudio even though I had killed all chromium-browser processes and there were no instances of chromium-browser listed by "sudo pgrep chromium" or "sudo ps -e | grep chromium". > The lkrg "Exploit Detection" messages continued while this firejail was still running.After rebooting the machine, and reloading lkrg I have not seen any more "Exploit" messages.So.. could it be that I bumped into some exploit code while browsing the web? I can't remember all of the websites I visited, but I've tried revisiting those that I can remember, and have not seen any more "Exploit" messages from lkrg. > > On Monday, July 30, 2018 10:27 PM, vapnik spaknik <vapniks@...oo.com> wrote: > > > I am getting a lot of warning messages for firejail (https://firejail.wordpress.com/): > > Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[19677 | firejail] has different 'cred' pointJul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[19677 | firejail] has different 'real_cred' Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> process[19677 | firejail] has different EGID! 1000 vs 0Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> process[19677 | firejail] has different FSGID! 1000 vs 0Jul 30 22:19:09 computer kernel: [p_lkrg] <Exploit Detection> Trying to kill process[firejail | 19677]! > should I be worried? > Also, is lkrg compatible with grsecurity?and finally, have you tried running it on android? > Thankyou for your time. > > -- pi3 (pi3ki31ny) - pi3 (at) itsec pl http://pi3.com.pl
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.