Add a new logic to the integrity verification routine verifying if the
kprobes are enabled and correctly run.
This commit makes kprobe verification functionality as an independent
module invoked by integrity verification routine as well as during
initialization to make sure kprobes are enabled and run as intended
(otherwise, initialization fails).
Starting from RHEL8.6 4.18.0-372.32.1.el8_6 kernel struct text_poke_loc
is not exported and we need to correctly take this into account.
Previous RHEL8.6 kernels did not hide this structure so we need to find
some ways to disinguish them. We do it in this commit and it should fix#236
For (non-grub) BLS boot - install generated by Dracut initrd into
systemd-boot loader entry.
Man pages for curious details: systemd-boot(7), bootctl(1),
kernel-install(8).
Link: https://github.com/lkrg-org/lkrg/pull/228#issuecomment-1235403740
Fixes: db42541 ("CI: mkosi: Do not assume grub is installed")
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
mkosi' "--boot-protocols is deprecated and has no effect anymore", thus
do not assume we will be booting using grub/bios.
Fixes: https://github.com/lkrg-org/lkrg/issues/227
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
The original logic was hooking 'ovl_create_or_link' function but it could be
inlined. This commit changes it by hooking 'ovl_dentry_is_whiteout' when
possible.
Fixes#215
Impish is started to fail, because it's EOL'ed at July 14, 2022.
Hirsute is EOL'ed at January 20, 2022, but it started to fail only
recently.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Changes to the Makefile enabling debug builds of LKRG resulted in
the copy-builtin script producing an errant Makefile inside the
target kernel tree.
Address this by creating a SECURITY_LKRG_DEBUG Kconfig option in
the Kconfig file and copy/update the relevant Makefile stanza into
the in-tree Makefile manually (vs extracting it from the source
Makefile and modifying in-flight).
Testing:
Built in Arch chroot, verified prompt for new option and module
build in-tree.
It was inconsistent to produce "alerts" that did not invoke any response
action, whereas downgrading them to informational messages lets us skip
a lengthy block of checks at default log level.
Use macros, move logging and enforcement responses from callers into
called functions, remove where it was duplicate.
Unify our log and kernel panic messages.
sed -i 's/\\n"/"/g' `fgrep -rl '\n"' src`
Followed by manual re-alignment of trailing backslashes in a few places,
and indeed the edit of p_print_log().
