Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 8 Jul 2020 16:21:47 +0200
From: Mikhail Morfikov <>
Subject: Re: <Exploit Detection> Process[modprobe] is trying to
 remove kernel module but does NOT have appropriate permissions!

On 08/07/2020 15.38, Solar Designer wrote:
> These messages will be gone with the below commit I've just pushed:
> commit ccd71872c5f767b418ffd40b6c113c4ee455df03
> Author: Solar Designer <>
> Date:   Wed Jul 8 15:26:20 2020 +0200
>     Drop init_module() and delete_module() syscall hooks
> ...
> We'd appreciate testing of LKRG with the above commit included - install
> on the system, reboot it, etc.  I expect no issues, but that no reason
> to skip testing.

It looks like it works well now. With the sys_module CAP blocked for kmod, I

# modprobe -r -v p_lkrg
rmmod p_lkrg
modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove 'p_lkrg': Operation not permitted

And in the syslog I have just:

kernel: audit: type=1400 audit(1594217867.451:16126): apparmor="DENIED" operation="capable" profile="kmod" pid=837012 comm="modprobe" capability=16  capname="sys_module"

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.