Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <03930d18-352d-d28b-5341-53697c061f9e@gmail.com>
Date: Wed, 8 Jul 2020 16:21:47 +0200
From: Mikhail Morfikov <mmorfikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: <Exploit Detection> Process[modprobe] is trying to
 remove kernel module but does NOT have appropriate permissions!

On 08/07/2020 15.38, Solar Designer wrote:
> 
> These messages will be gone with the below commit I've just pushed:
> 
> commit ccd71872c5f767b418ffd40b6c113c4ee455df03
> Author: Solar Designer <solar@...nwall.com>
> Date:   Wed Jul 8 15:26:20 2020 +0200
> 
>     Drop init_module() and delete_module() syscall hooks
> 
> ...
>
> We'd appreciate testing of LKRG with the above commit included - install
> on the system, reboot it, etc.  I expect no issues, but that no reason
> to skip testing.
> 

It looks like it works well now. With the sys_module CAP blocked for kmod, I
get:

# modprobe -r -v p_lkrg
rmmod p_lkrg
modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove 'p_lkrg': Operation not permitted

And in the syslog I have just:

kernel: audit: type=1400 audit(1594217867.451:16126): apparmor="DENIED" operation="capable" profile="kmod" pid=837012 comm="modprobe" capability=16  capname="sys_module"



Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.