Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Jul 2020 15:38:07 +0200
From: Solar Designer <>
Subject: Re: <Exploit Detection> Process[modprobe] is trying to remove kernel module but does NOT have appropriate permissions!

On Tue, Jul 07, 2020 at 07:31:15PM +0200, Solar Designer wrote:
> On Tue, Jul 07, 2020 at 03:13:59PM +0200, Mikhail Morfikov wrote:
> > I accidentally tested what would happen if I loaded the LKRG module and then
> > blocked the sys_module capability (via AppArmor) for kmod. When I tried to 
> > unload some module via "modprobe -r -v sysdig-probe" in such situation, I
> > 
> > got the following:
> > 
> > kernel: [p_lkrg] <Exploit Detection> Process[modprobe] | 209106] is trying to remove kernel module but does NOT have appropriate permissions! Killing...
> [...]
> > kernel: [p_lkrg] <Exploit Detection> Trying to kill process[modprobe] | 209106]!
> I had just started to discuss this aspect with Adam privately shortly
> before your posting.  This is a result of a check we have in place to
> minimize the race window for exploits that might overwrite capabilities.
> However, this visible effect of it without any exploit activity might be
> a result of a misunderstanding between Adam and me from back when we
> discussed this implementation a long time ago.  We might change things
> now as a result of the renewed discussion we're having.

These messages will be gone with the below commit I've just pushed:

commit ccd71872c5f767b418ffd40b6c113c4ee455df03
Author: Solar Designer <>
Date:   Wed Jul 8 15:26:20 2020 +0200

    Drop init_module() and delete_module() syscall hooks

It's my first direct commit to there (not going via Adam).  I went ahead
and did this because we had agreed with Adam that the delete_module()
hooks were no longer needed much now that we hook capable(), and the
init_module() ones are similar in this respect.

Patrick might be unhappy that this commit isn't signed, but it only
deletes lines without adding anything, and I expect we'll only make
cosmetic and documentation changes before pushing out 0.8.1 shortly.

Adam's availability these days is limited, so I have to substitute for
him in finishing this bug fix release.

We'd appreciate testing of LKRG with the above commit included - install
on the system, reboot it, etc.  I expect no issues, but that no reason
to skip testing.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.