1) Introduce 'smap_validate' to control if SMAP validation will be performed
0 - disable SMAP validation
1 - enable SMAP validation
6) Introduce 'smap_enforce' to control how LKRG reacts when SMAP validation fails:
0 - log & accept
1 - log & restore
2 - panic() - kill the kernel
1) Introduce 'kint_validate' to control kernel/system integrity logic:
0 - disabled
1 - validation is performed only when manually triggered
3 - validation is performed periodically by timer interrupt and on random events
2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails:
0 - log & accept corruption
1 - log only (for SELinux and CR0.WP violation log & restore original values)
2 - panic() - kill the kernel
3) Introduce 'pint_validate' to control tasks validation logic:
0 - disabled
1 - validate only currently running tasks
2 - validate only currently running tasks + task which changes state to RUNNING
3 - validate all tasks in the system (paranoid mode)
4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails:
0 - log & accept corruption
1 - kill corrupted task
2 - panic() - kill the kernel
5) Introduce 'smep_validate' to control if SMEP validation will be performed
0 - disable SMEP validation
1 - enable SMEP validation
6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails:
0 - log & accept
1 - log & restore
2 - panic() - kill the kernel
7) Introduce 'umh_validate' to control if UMH validation will be performed
0 - disable UMH validation
1 - allow only whitelited binaries to execute via UMH
2 - completely block UMH
8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails:
0 - log only
1 - prevent execution
2 - panic() - kill the kernel
9) Introduce 'pcfi_validate' to control if pCFI validation will be performed
0 - disabled
1 - no stackwalk (weak pCFI)
2 - fully enabled
10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails:
0 - log only
1 - kill corrupted task
2 - panic() - kill the kernel
11) Rename 'timestamp' to 'interval'
12) Rename 'force_run' to 'trigger'
13) Rename 'clean_message' to 'heartbeat'
14) Rename 'msr_enforce' to 'msr_validate'
15) Option 'hide' stays the same
16) Option 'log_level' stays the same
17) Option 'block_modules' stays the same
a) By default, only verify currently executed process
b) Introduce a paranoid mode of process verification.
This mode verifies all tasks in the system
(like LKRG's old logic). This mode is executed from the
CI verification routine.
[2] Add new hooks to verify process credentials:
a) cover that cases where various capabilities are checked
b) before any task changes the state to TASK_RUNNING
[3] Create multiple RB-trees for tracking ED process. Until now
we had only 1 root RB-tree. new logic change can improve
performance when system is overloaded.
[4] Introduce a new ED API which enforces process to crash itself
when SIGKILL can't be delivered
[5] Enforce CPU metadata verification (like SMEP) in more places
[6] Fix some minor issues
[2] Introduce new sysctl interface - lkrg.enforce_msr (enabled by default):
lkrg.enforce_msr:
0 - disable MSRs verification during CI
1 - enable MSRs verification during CI
[1] Introducing a RO-page which keeps the most-critical internal structures
[2] Moving internal control structure (configurable via sysctl interface) to the RO-page
[3] Introducing a new structure which keeps all dynamically resolved pointers
[4] Moving a new structure with dynamic pointers to the RO-page
[5] Refactoring the entire code to be compatible with the new design
[6] Adding appropriate messages when a new sysctl option is put in place
[7] A few more minor changes
