mirror of https://github.com/openwall/lkrg.git
324 lines
17 KiB
Plaintext
324 lines
17 KiB
Plaintext
The following major changes have been made since LKRG 0.9.7:
|
|
|
|
*) RPM spec file improvements to make it work or properly fail in a wider set
|
|
of circumstances, and to use the "weak-modules" script if available so that
|
|
on RHEL and its rebuilds the same LKRG package build works across different
|
|
kABI-compatible kernel revisions/builds
|
|
*) More complete documentation of the build requirements
|
|
|
|
|
|
The following major changes have been made between LKRG 0.9.6 and 0.9.7:
|
|
|
|
*) Support new mainline kernels 6.4 to 6.5.x, and hopefully beyond
|
|
*) Support new RHEL 9.1 and 9.2 kernels, and hopefully beyond
|
|
*) Add RPM spec file for Red Hat'ish distros (usable via "rpmbuild -tb" on our
|
|
release tarball)
|
|
*) Add Arch Linux's /usr/bin/modprobe path to usermodehelper allow list
|
|
*) Bootup script changes
|
|
*) Continuous Integration updates
|
|
|
|
|
|
The following major changes have been made between LKRG 0.9.5 and 0.9.6:
|
|
|
|
*) Support new mainline kernels 6.1-rc*, 6.1, and hopefully beyond
|
|
*) Support kernels 5.19 and beyond on AArch64
|
|
*) Support new RHEL 8.6 update and RHEL 8.7 kernels
|
|
*) Support new CentOS Stream 9 aka upcoming RHEL 9.2 kernels
|
|
*) Add a couple of distros' default pathnames to usermodehelper allow list
|
|
*) Validate tasks' real UIDs/GIDs even when effective ones pass validation
|
|
(previously, this check was normally bypassed as an optimization)
|
|
*) Add synchronization logic around sysctl updates and other module (un)loads
|
|
(previously, some concurrent events of this sort could lead to a crash on
|
|
attempting to write to our read-only page)
|
|
*) Test whether kretprobes work correctly at LKRG loading time and re-test
|
|
periodically (previously, LKRG would only detect disabling of kretprobes
|
|
after it's loaded, and only indirectly - through kernel code hash changes)
|
|
*) Set kretprobes' maxactive based on actual number of possible logical CPUs
|
|
(previously, we used a hard-coded value, which would more likely result in
|
|
missed hook function invocations on systems with more CPUs)
|
|
*) Continuous Integration updates, including testing on AArch64
|
|
|
|
|
|
The following major changes have been made between LKRG 0.9.4 and 0.9.5:
|
|
|
|
*) Support new longterm kernels 5.10.133+
|
|
*) Rework the logic supporting OverlayFS (notably used by Docker) to support
|
|
a wider variety of kernel versions and builds
|
|
|
|
|
|
The following major changes have been made between LKRG 0.9.3 and 0.9.4:
|
|
|
|
*) Support new longterm kernels 5.15.40+
|
|
*) Support the OpenRC init system
|
|
*) Make log messages more consistent and suitable for both automated analysis
|
|
and human consumption, as well as easier to maintain
|
|
*) Introduce LKRG's own message severities and categories, which are separate
|
|
from (but mapped onto) the kernel's and are included in messages themselves
|
|
*) Many minor bug fixes, issue workarounds, and significant code cleanups
|
|
*) Rename the module from p_lkrg to lkrg
|
|
*) Add instructions on installing using DKMS
|
|
*) Continuous Integration updates
|
|
|
|
|
|
The following major changes have been made between LKRG 0.9.2 and 0.9.3:
|
|
|
|
*) Support new mainline kernels 5.17.x, 5.18-rc*, and hopefully beyond
|
|
*) Support loading into Xen PV guest kernels even on older CPUs without UMIP
|
|
*) Fix build on latest CentOS Stream 8 and upcoming RHEL 8.6+
|
|
*) Fix build on CentOS Stream 9
|
|
*) Fix build on openSUSE Leap
|
|
*) Continuous Integration and debugging build updates and improvements
|
|
|
|
|
|
The following major changes have been made between LKRG 0.9.1 and 0.9.2:
|
|
|
|
*) Support new stable and mainline kernels 5.14 to at least 5.16-rc*
|
|
*) Support new longterm kernels 5.4.118+, 4.19.191+, 4.14.233+
|
|
*) Support various CONFIG_SECCOMP configurations
|
|
*) Fix a false positive possible because of race on SECCOMP_FILTER_FLAG_TSYNC
|
|
where LKRG started to validate other threads' seccomp state too early
|
|
*) Fix support of CONFIG_HAVE_STATIC_CALL on Linux 5.10+ to avoid a race with
|
|
unloading of other modules
|
|
*) Support the "nolkrg" kernel parameter in LKRG itself (not only in systemd)
|
|
*) Log the blocked module name when lkrg.block_modules=1
|
|
*) Install/expect the sysctl settings in /etc/sysctl.d/01-lkrg.conf
|
|
*) Add dkms.conf
|
|
*) Continuous Integration and debugging build updates and improvements
|
|
|
|
|
|
The following major changes have been made between LKRG 0.9.0 and 0.9.1:
|
|
|
|
*) Support CONFIG_HAVE_STATIC_CALL on Linux 5.10+
|
|
*) Fix SELinux integrity violation false positive bug (introduced into LKRG in
|
|
March 2021 and manifesting itself on Linux 4.17+ when SELinux is already in
|
|
enforcing mode when LKRG is loaded)
|
|
*) Improve systemd service and its installation, add /etc/sysctl.d/lkrg.conf
|
|
*) Add the debian/ directory in order to support the Debian build system based
|
|
on pbuilder/dpkg-buildpackage
|
|
|
|
|
|
The following major changes have been made between LKRG 0.8.1 and 0.9.0:
|
|
|
|
*) Support new mainline kernel versions 5.8 to 5.12 (inclusive) and new stable
|
|
kernels 5.4.87+ (which include some back-ports from 5.8+)
|
|
*) Support new RHEL kernels up to RHEL 8.4's (inclusive)
|
|
*) Support building LKRG in the kernel tree (not only as a standalone module),
|
|
as a module or linking into the kernel image (see scripts/copy-builtin.sh)
|
|
*) Support CONFIG_FUNCTION_TRACER with or without CONFIG_DYNAMIC_FTRACE
|
|
*) Support various CONFIG_OPTPROBES configurations
|
|
*) Support loading overlayfs[2] after LKRG (e.g., by Docker; previously, the
|
|
overlayfs[2] module had to be loaded before LKRG for Docker to work)
|
|
*) "Support" CONFIG_GCC_PLUGIN_RANDSTRUCT (don't monitor SELinux if enabled)
|
|
*) Explicitly do not support RT kernels
|
|
*) Fix support for 32-bit x86 (was unintentionally broken in LKRG for ages,
|
|
but could mostly work on many pre-5.7 kernel and LKRG builds by "luck")
|
|
*) Fix detection of process user/group ID corruption to cover any unexpected
|
|
changes (previously, only numerically lower new IDs, as exploits normally
|
|
use, would be detected - a limitation left over from early LKRG testing)
|
|
*) Fix logging of WP/SMEP/SMAP violations on systems with SMAP in the "log and
|
|
accept" mode (previously, one such violation could mute logging of others)
|
|
*) Add detection of ADDR_LIMIT corruption attacks
|
|
*) Remove validation of waking-up tasks (drop pint_validate=2)
|
|
*) Replace execve(2) hooks (instead hook security_bprm_committing_creds and
|
|
security_bprm_committed_creds, which shortens the race window for exploits)
|
|
*) Replace ptrace(2) hooks (instead hook security_ptrace_access)
|
|
*) Simplify UMH blocking and make it compatible with CPA-protected pages
|
|
*) Simplify and speed up do_exit hook (no need to validate a dying process)
|
|
*) Many other changes under the hood to make LKRG easier to maintain and debug
|
|
*) Integrate LKRG with out-of-tree (a tool to assist kernel module testing)
|
|
*) Integrate LKRG with mkosi (systemd's tool for generating a test boot image)
|
|
*) Continuous Integration setup: boot tests on GitHub Actions using mkosi
|
|
(with Ubuntu's release kernels and their daily builds of mainline kernels)
|
|
|
|
|
|
The following major changes have been made between LKRG 0.8 and 0.8.1:
|
|
|
|
*) Drop init_module() and delete_module() syscall hooks, which were no longer
|
|
justified now that we hook capable() yet contained a nasty bug (first
|
|
reported by Jason A. Donenfeld) allowing a user to trigger an Oops (read via
|
|
a near-NULL pointer) on 64-bit Linux 4.17+
|
|
*) Update CONCEPTS to note the risk of running with untested kernel versions
|
|
*) Update PERFORMANCE to refer to Phoronix article and raw results on 0.8
|
|
|
|
|
|
The following major changes have been made between LKRG 0.7 and 0.8:
|
|
|
|
*) Add support for kernels 5.3+ (JUMP_LABEL batch mode), 5.5+ and 5.6+ (other
|
|
changes in JUMP_LABEL), 5.7+ (non-exported kallsyms_lookup_name symbol)
|
|
*) Add support for kernels built with aggressive GCC optimizations, where LKRG
|
|
will now hook the GCC-mangled function names (.isra and .constprop)
|
|
*) Add support for kernels lacking functions that LKRG would have hooked but
|
|
can also reasonably work without, which LKRG will now merely warn about
|
|
*) Add support for kernels built without CONFIG_USB and/or CONFIG_STACKTRACE,
|
|
and for kernels built with CONFIG_UNWINDER_ORC
|
|
*) Add explicit checking for certain required CONFIG_* options to produce
|
|
user-friendly error messages instead of confusing build failures
|
|
*) Add support for ACPI S3 (suspend to RAM) and S4 (suspend to disk)
|
|
*) Add support for DKMS to Makefile
|
|
*) Add experimental support for 32-bit ARM, tested on Raspberry Pi 3 Model B
|
|
*) Add experimental support for Raspberry Pi 4, tested on board revision c03112
|
|
(we had already included general support for AArch64 (ARM64) in LKRG 0.7)
|
|
*) Add more hooks, most notably on capable() for more likely timely detection
|
|
of exploits that mess with capabilities rather than credentials
|
|
*) New logic for detection of namespace escapes (e.g., from Docker containers)
|
|
*) Add x86-64 SMAP bit validation and enforcement (similar to that for SMEP)
|
|
*) Maintain LKRG runtime configuration in a memory page usually kept read-only
|
|
*) Ensure kernel addresses and LKRG's own sensitive information is only logged
|
|
at log_level 4 or higher (non-default)
|
|
*) Improve scalability of process tracking database: instead of one RB tree
|
|
guarded by one spinlock, use a 512-entry hash table of RB trees guarded by
|
|
their corresponding 512 read-write locks
|
|
*) Introduce a mode (enabled by default) where process credentials integrity
|
|
validation is only frequently performed for the current task (that's about
|
|
to make use of the credentials) and (optionally yet also enabled by default)
|
|
for tasks that are waking up, but infrequently for other tasks (sleeping or
|
|
running without invoking kernel APIs that LKRG knows could use credentials)
|
|
*) Redesign LKRG's presentation of its feature set to the user (sysadmin), no
|
|
longer presenting it as having separate Code Integrity and Exploit Detection
|
|
components, but instead LKRG as a whole working to detect various integrity
|
|
violations (not only of code, and possibly caused by exploits) and attacks
|
|
*) Introduce many separate knobs (each available as a sysctl and a module
|
|
parameter) for fine-grained tuning of LKRG's detection of violations and
|
|
attacks (validation), as well as its response to those (enforcement)
|
|
*) Introduce LKRG validation and enforcement profiles, which are pre-defined
|
|
sets of recommended values of the fine-grained tuning knobs
|
|
*) Change the defaults to improve the balance between timely detection and
|
|
effective response vs. performance impact and risk of false positives
|
|
*) Rework the optional systemd unit file so that LKRG is loaded at an earlier
|
|
stage of system bootup, but can be disabled via the kernel command-line
|
|
*) Rework the documentation reflecting the above changes, replacing INSTALL by
|
|
a much more extensive README, adding CONCEPTS, and replacing the contents of
|
|
PERFORMANCE with up-to-date Phoronix Test Suite benchmarks
|
|
|
|
|
|
The following changes have been made between LKRG 0.6 and 0.7:
|
|
|
|
*) Refactor LKRG code to support multiple CPU architectures
|
|
*) Add experimental support for ARM64
|
|
*) Add experimental support for grsecurity kernels (with some limitations)
|
|
*) Add support for kernels 5.1 and 5.2 (and hopefully beyond)
|
|
*) Add support for kernels without enabled CONFIG_DYNAMIC_DEBUG
|
|
*) Add support for kernels without enabled CONFIG_ACPI
|
|
*) Add support for kernels without enabled CONFIG_STACKTRACE
|
|
*) Add support for kernels with enabled CONFIG_STATIC_USERMODEHELPER
|
|
*) [CI] Fix race condition with *_JUMP_LABEL engine resulting in potential
|
|
deadlock when LKRG is initialized in parallel with other heavy kernel module
|
|
(un)loading events
|
|
*) [CI] Re-enable self-hashing
|
|
*) [ED] Change the logic how LKRG tracks a newly created task in the system
|
|
*) [ED] Rewrite internal logic how LKRG synchronizes with the task's resources
|
|
*) [ED] Filter our kernel threads and system-init process when validation is
|
|
performed bypassing threads iteration
|
|
*) [ED] Disable IRQ in most cases when LKRG's PIDs database lock is taken.
|
|
Otherwise, we could have potential race and deadlock with kprobe engine
|
|
itself, and SoftIRQs could deadlock with LKRG's pCFI.
|
|
*) [ED] Fix potential FP during LKRG unloading procedure and add memory barrier
|
|
*) [ED] Fix logic for *init_module/delete_module for kernels with
|
|
CONFIG_ARCH_HAS_SYSCALL_WRAPPER
|
|
*) [ED] Fix FP (race condition) in pCFI in glitching scenario during process
|
|
update, and add memory barrier
|
|
*) [ED] Fix potential glitch in pCFI
|
|
*) [ED] Add support for OverlayFS (which is commonly used by Docker)
|
|
*) [ED] Whitelist Ubuntu Apport (thanks to Pawel Krawczyk)
|
|
*) [ED] Enforce stack pointer validation on lookup_fast function
|
|
*) [ED] Add SMEP/WP bit verification (and re-enforcement) in more places
|
|
*) [ED] Refactor some of the logic to be compatible with x86 lacking SMEP
|
|
*) [ED] Add new sysctl lkrg.smep_panic (only on x86, enabled by default)
|
|
*) [ED] Add new sysctl lkrg.umh_lock (disabled by default)
|
|
*) Update INSTALL to document the new sysctl's and the previously undocumented
|
|
lkrg.hide sysctl
|
|
*) Minor change of initialization logic
|
|
*) Add potential debug compilation option to Makefile
|
|
*) Mute the most noisy STRONG_DEBUG output by default
|
|
*) Don't export global CFLAGS since it might be incompatible when LKRG is part
|
|
of a bigger project's build
|
|
*) Restore terminal colors when systemd service installation fails
|
|
|
|
|
|
The following changes have been made between LKRG 0.5 and 0.6:
|
|
|
|
*) [CI] Protect SMEP bit in CR4 and WP bit in CR0 on x86 architecture
|
|
*) [CI] Reimplement *_JUMP_LABEL support: simpler and needs a lot less memory
|
|
*) [CI] Propagate errors when kzalloc() fails
|
|
*) [ED] Introduce pCFI mitigation (poor man's Control Flow Integrity) against
|
|
unintended invocation of a few kernel functions especially useful in
|
|
exploits
|
|
*) [ED] Lock down the usermodehelper interface with a whitelist of programs
|
|
*) [ED] Fix false positive on seccomp(SECCOMP_SET_MODE_FILTER,
|
|
SECCOMP_FILTER_FLAG_TSYNC, ...) failing, where we must revert all threads'
|
|
settings but did not (we do now)
|
|
*) [ED] Freeze all user mode processes during Exploit Detection initialization
|
|
to avoid false positives
|
|
*) [ED] Minor change in how SIGKILL is delivered to the corrupted task
|
|
*) Fix build error on Linux 4.17+ without CONFIG_ARCH_HAS_SYSCALL_WRAPPER
|
|
*) Add LKRG early boot systemd unit file. (Similar optional functionality for
|
|
other init systems may be added later. Contributions are welcome.)
|
|
*) Add install/uninstall make targets, which deploy/remove the systemd service
|
|
|
|
|
|
The following changes have been made between LKRG 0.4 and 0.5:
|
|
|
|
*) [CI] Add *_JUMP_LABEL support for kernel modules (a major change)
|
|
*) [CI] Add support for "cold" function versions generated by new GCC -
|
|
necessary to correctly handle *_JUMP_LABEL
|
|
*) [CI] Change output message format when *_JUMP_LABEL was detected for kernel
|
|
module's .text section
|
|
*) [CI] Add new sysctl interface - optional panic() on CI verification failure
|
|
*) [ED] Hook generic_permission() instead of may_open()
|
|
*) [ED] Hook and correctly handle override_creds() / revert_creds()
|
|
*) Add Mikhail Klementev's patches for Makefile, .gitignore and missing include
|
|
|
|
|
|
The following changes have been made between LKRG 0.3 and 0.4:
|
|
|
|
*) [ED] Fix a potential kretprobe glitch that could happen in a very rare
|
|
corner case on heavily loaded SMP machines (resulting in a false positive)
|
|
*) [ED] Change some of the printed messages for log_level=4
|
|
*) [ED] Add support for 4.17+ kernels. This is a pretty big change addressing:
|
|
a) New logic of how syscall stubs are created; CONFIG_X32_X86 and
|
|
CONFIG_COMPAT now have separate stubs
|
|
b) SELinux variables are now accumulated in one structure
|
|
|
|
|
|
The following changes have been made between LKRG 0.2 and 0.3:
|
|
|
|
*) [ED] Fix false positive caused via potential race condition when child
|
|
process might be faster than mother returning from the fork()
|
|
*) [ED] Change the logic and loglevel for message printed when racy situation
|
|
at fork() appears
|
|
*) [CI] Change assigned probabilities when integrity routine will be fired
|
|
|
|
|
|
The following changes have been made between LKRG 0.1 and 0.2:
|
|
|
|
*) Add support for being loaded at early boot stage (e.g. from initramfs)
|
|
*) [CI] Add a new sysctl to control whether LKRG performs code integrity checks
|
|
on random events (or only at regular intervals)
|
|
*) Reduce performance impact, e.g. in our specific test case:
|
|
-> Average cost of running a fully enabled LKRG => 2.5%
|
|
-> Average cost of running LKRG without the code integrity checks on
|
|
random events (disabled with the new sysctl) => 0.7%
|
|
*) [CI] Fix a potential deadlock bug caused by get_online_cpus() function,
|
|
which might sleep if CONFIG_PREEMPT_VOLUNTARY=y
|
|
*) [CI] Fix dynamic NOPs injected by *_JUMP_LABEL for MWESTMERE
|
|
*) [CI] Remove false positives caused by *_JUMP_LABEL in corner case scenarios
|
|
*) [ED] Remove false positives when kernel executes usermode helper binaries
|
|
|
|
|
|
The following changes have been made between LKRG 0.0 and 0.1:
|
|
|
|
*) Support RHEL 7.4 kernels
|
|
*) Make new compiler happy (gcc 7.3+)
|
|
*) Improve Makefile
|
|
*) Improve Exploit Detection performance and hardened 'off' flag
|
|
*) Add support for kernel 4.15
|
|
*) Use GPLv2 LICENSE
|
|
*) Add INSTALL, CHANGELOG and PATREONS file
|
|
*) Move SELinux integrity check to the workqueue
|
|
*) Fix how *_JUMP_LABEL is handled when 0xCC byte is injected
|
|
|
|
|
|
Legend:
|
|
[CI] - Code Integrity
|
|
[ED] - Exploit Detection
|