Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200621200449.GA16026@pi3.com.pl>
Date: Sun, 21 Jun 2020 22:04:49 +0200
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: The lkrg.service for systemd

Hi,

I've tested proposed Unit file and got:

[   15.469294] systemd[1]: lkrg.service: Service has Restart= setting other than no, which isn't allowed for Type=oneshot services. Refusing.
[   15.501035] systemd[1]: lkrg.service: Cannot add dependency job, ignoring: Unit lkrg.service has a bad unit file setting.

Originally we had:

-Type=simple

and in the new file we have:

+Type=oneshot

We can use Type=simple or edit:

> Restart=on-failure

and set it to "no".

I believe that better approach is to set Restart=No since if LKRG failes to 
load first time, there is little value of retrying it again.

Thanks,
Adam

On Sun, Jun 21, 2020 at 05:31:45PM +0200, Mikhail Morfikov wrote:
> On 21/06/2020 14:58, Solar Designer wrote:
> > There's yet another issue, though: LKRG may take a little while to
> > initialize before it's fully monitoring for attacks and enforcing its
> > configured policies, yet the boot process may concurrently proceed
> > further and e.g. start crond and an exploit from there.
> > 
> > Do you have suggestions on how to make system boot process wait before
> > advancing to a phase where user code may run until LKRG is ready?
> 
> The Before=sysinit.target would take care of holding the system boot till 
> the LKRG module finish loading. The regular services, like cron, are started 
> after the basic.target is reached (which is after sysinit.target). So 
> basically this dependency would do the job with ease.
> 
> > 
> > What would you suggest we put into the documentation for those wanting
> > to use other init systems?  
> 
> I don't really know other init systems -- I use Debian on all of my machines,
> and this distro (like many others) defaults to systemd, and this move has
> been made some years ago. If there are any people who use some other inits, I 
> would suggest that they speak about the proper support here, like I do with 
> systemd. 
> 
> > 
> > With the 0.8 release being (hopefully) just around the corner, I think
> > switching to /etc/modules-load.d/99-lkrg.conf is too invasive a change
> > right now, but perhaps we can change the Before/After lines for now and
> > plan on making further changes for 0.9.
> > 
> >> I would suggest something like:
> >>
> >>   After=systemd-modules-load.service  # to make sure all other modules are loaded
> >>   Before=sysinit.target               # to load LKRG as fast a possible
> > 
> > Can you please test this suggestion of yours and confirm that it works?
> > 
> 
> I tested, and I had to completely rewrite the systemd.service . Here's how it
> looks now:
> 
> --------------
> [Unit]
> Description=Linux Kernel Runtime Guard
> Documentation=https://bitbucket.org/Adam_pi3/lkrg-main/src/master/README
> DefaultDependencies=no
> After=systemd-modules-load.service
> Before=systemd-sysctl.service
> Before=sysinit.target shutdown.target
> Conflicts=shutdown.target
> 
> [Service]
> Type=oneshot
> ExecStart=/sbin/modprobe -v p_lkrg
> #ExecStop=/sbin/modprobe -v -r p_lkrg
> RemainAfterExit=yes
> Restart=on-failure
> 
> [Install]
> WantedBy=sysinit.target
> --------------
> 
> The *DefaultDependencies* has to be used, since this is early boot service. When
> you use it, you have to take care of stopping the service, i.e. to add 
> *Before=shutdown.target* and *Conflicts=shutdown.target* dependencies. I'm not 
> sure what would happen in this case when the two are omitted because there's no 
> real service that has to be stopped when system reboots/shutdowns. Anyway, after 
> adding them, when system reboots/shutdowns the *ExecStop* command will be 
> executed. So I commented it out because removing the module before system reboot
> is pointless. Using *After=systemd-modules-load.service* will make sure that 
> LKRG will load after any other module does, *Before=systemd-sysctl.service* is 
> for sysctl config to work, so if you block module loading via 
> *lkrg.block_modules*, it will work. The *Before=sysinit.target* is redundant, 
> but I keep it just to explicitly show where the LKRG service is assigned to. I 
> also use *modprobe* for *ExecStart* and *ExecStop* commands (the -v flag can be 
> removed). I changed the *Type* from *Simple* to *Oneshot as it better fits in 
> this case, especially with *RemainAfterExit=yes*. Also *WantedBy* changed from 
> *multiuser.target* to *sysinit.target*.
> 
> Here's you can see how it works[1]. This is very beginning of the boot phase, 
> and you have first the systemd-modules-load.service , when it finishes, 
> lkrg-dkms starts and the module loads for ~1,5s. When it finishes, then 
> systemd-sysctl.service is launched and the rest of boot continues as ususal.
> 
> [1]: https://i.imgur.com/YCcPd60.png 
> 




-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.