Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20221214164607.GA17088@openwall.com>
Date: Wed, 14 Dec 2022 17:46:07 +0100
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, lkrg-users@...ts.openwall.com
Subject: LKRG 0.9.6

Hi,

For those new to Linux Kernel Runtime Guard (LKRG), it is a kernel
module that performs runtime integrity checking of the Linux kernel and
detection of security vulnerability exploits against the kernel.

We've just released LKRG 0.9.6, available on the LKRG project website:

https://lkrg.org

The following major changes have been made between LKRG 0.9.5 and 0.9.6:

 *) Support new mainline kernels 6.1-rc*, 6.1, and hopefully beyond
 *) Support kernels 5.19 and beyond on AArch64
 *) Support new RHEL 8.6 update and RHEL 8.7 kernels
 *) Support new CentOS Stream 9 aka upcoming RHEL 9.2 kernels
 *) Add a couple of distros' default pathnames to usermodehelper allow list
 *) Validate tasks' real UIDs/GIDs even when effective ones pass validation
    (previously, this check was normally bypassed as an optimization)
 *) Add synchronization logic around sysctl updates and other module (un)loads
    (previously, some concurrent events of this sort could lead to a crash on
    attempting to write to our read-only page)
 *) Test whether kretprobes work correctly at LKRG loading time and re-test
    periodically (previously, LKRG would only detect disabling of kretprobes
    after it's loaded, and only indirectly - through kernel code hash changes)
 *) Set kretprobes' maxactive based on actual number of possible logical CPUs
    (previously, we used a hard-coded value, which would more likely result in
    missed hook function invocations on systems with more CPUs)
 *) Continuous Integration updates, including testing on AArch64

We are lucky that our previous release, LKRG 0.9.5, worked as-is on
newer mainline kernels up to 6.0 on x86-64.  However, for compatibility
with 6.1-rc* and beyond we had to make changes.  Also, we found we had
overlooked a compatibility issue with 5.19+ on AArch64, now addressed.

Overall, the changes this time are not very extensive, although they
span a lot of the source files:

$ git diff --shortstat v0.9.5..v0.9.6
 73 files changed, 352 insertions(+), 207 deletions(-)

They are by the following people:

$ git shortlog -sn v0.9.5..v0.9.6
     9  Solar Designer
     4  Adam 'pi3' Zabrocki
     2  Vitaly Chikunov
     2  Vladimir D. Seleznev
     2  redp
     1  mrl5

In related news, LKRG is now packaged in Guix and NixOS.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.