Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200125232250.GA31489@pi3.com.pl>
Date: Sun, 26 Jan 2020 00:22:50 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: UMH blocked when though lkrg.block_modules = 0

Hi,

I've just renamed 'p_init_log_level' module param name to 'log_level'.
I've also introduced 5 new module parameters (for now):
    -> clean_message
    -> block_modules
    -> enforce_umh
    -> enforce_msr
    -> enforce_pcfi

I did not add all sysctl parameters as module parameters for now, because we 
might change some of the current names (as Alexander pointed out).

On Sat, Jan 25, 2020 at 01:10:58PM +0000, Patrick Schleizer wrote:
> Solar Designer:
> > As you can see, even the value 0 does not fully disable the UMH lock-down.
> 
> 
> Understood. (The documentation was very clear but I forgot that when
> looking at umh_lock only.)
> 
> >> It was probably caused by sysctl "kernel.core_pattern=|/bin/false".
> > 
> > Is this a distro's default?  Which distro is that?
> 
> 
> Whonix / Kicksecure default.
> 
> > Adam, I think you might want to make two changes:
> > 
> > 1. Add /bin/false to the whitelist.
> 
> 
> Please also consider:
> 
> /bin/true (for consistency)
> 

I'm not sure if there is any value of adding "/bin/false" and "/bin/true" paths 
for whitelisting. These paths doesn't execute any functionality and I believe 
that more right approach is to change the distro configuration and empty / 
clean 'kernel.core_pattern' value.

> /lib/systemd/systemd-coredump
> 

It's already added.

> The Debian buster default:
> 
> core
> 
> 
> sudo sysctl -a | grep pattern
> 
> kernel.core_pattern = core
> 

I believe that this specific configuration doesn't invoke 'core' executable 
via UMH so it's not needed. Additionally, UMH whitelisting opperates on full 
real paths.

> > 2. Replace lkrg.umh_lock with a new sysctl called lkrg.enforce_umh with
> > 3 possible settings: 0 to completely disable the UMH lock-down (which we
> > currently have no setting for), 1 same as lkrg.umh_lock = 0, and 2 same
> > as lkrg.umh_lock = 1.  The default can be lkrg.enforce_umh = 1, which
> > will match the current default.  This change will also bring us closer
> > to a consistent naming scheme and semantics of the sysctl's, which
> > you've just started with the recent additions to support VirtualBox.
> 

Done. I've pushed commit to the official repo.

Thanks,
Adam

> 
> Sounds great!
> 
> Kind regards,
> Patrick

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.