LKRG Module Version 0.7 to be Released

Linux Kernel Runtime Guard is created to protect Linux of vulnerabilities exploitation
23 July 2019   401

The Openwall project published the release of the LKRG 0.7 kernel module (Linux Kernel Runtime Guard), which provides detection of unauthorized changes to the working kernel (integrity check) or attempts to change the permissions of user processes (definition of exploit usage). The module is suitable both for organization of protection against already known exploits for the Linux kernel (for example, in situations when it is problematic to update the kernel in the system), and for opposition to exploits for still unknown vulnerabilities. About the features of LKRG can be found in the first announcement of the project.

Among the changes in the new version:

  • The code was refactored to support various CPU architectures. Added initial support for ARM64 architecture;
  • Compatible with Linux kernels 5.1 and 5.2, as well as kernels assembled without enabling the CONFIG_DYNAMIC_DEBUG, CONFIG_ACPI and CONFIG_STACKTRACE options when building the kernel, and with kernels built with the CONFIG_STATIC_USERMODEHELPER option. Added experimental kernel support from the grsecurity project;
  • Significantly changed initialization logic;
  • Self-hashing has been re-enabled in the integrity check subsystem and the race condition in the transition label engine (* _JUMP_LABEL) has been eliminated, leading to a deadlock during initialization simultaneously with loading or unloading events of other modules;
  • In the exploit detection code, new sysctl lkrg.smep_panic (enabled by default) and lkrg.umh_lock (disabled by default) were added, additional checks of the SMEP / WP bit were added, the tracking logic of the tasks was changed in the system, the internal synchronization logic with task resources was revised, Added support for OverlayFS, placed in the white list of Ubuntu Apport.

Get more info at Openwall's website.

Linux 5.3 Kernel to be Released

Huge amount of updates, improvements, changes and new features awaits all Linux users
17 September 2019   252

After two months of development, Linus Torvalds introduced the Linux 5.3 kernel release. Among the most notable changes: support for AMD Navi GPUs, Zhaoxi processors, and Intel Speed ​​Select power management technology, the ability to use umwait instructions to wait without using loops, increasing the interactivity utilization clamping mode for asymmetric CPUs, the pidfd_open system call, the ability to use IPv4 addresses from the subnet 0.0.0.0/8, the possibility of hardware acceleration of nftables, support for HDR in the DRM subsystem, integration of the ACRN hypervisor.

In the announcement of the new release, Linus reminded all developers of the main rule of kernel development - maintaining the invariance of behavior for user space components. Changes in the kernel should in no way violate already running applications and lead to user-level regressions. At the same time, a violation of behavior can cause not only a change in the ABI, removal of outdated code or errors, but also an indirect effect of correctly working useful improvements. As a good example, the useful optimization in Ext4 code was discarded, which reduces the number of accesses to the drive by disabling the read-ahead inode table for small I / O requests.

Optimization has led to the fact that, due to a decrease in disk activity, the entropy for the random number generator getrandom () began to accumulate more slowly and in some configurations, under certain circumstances, there could be hangs during loading until the entropy pool is full. Since the optimization is really useful, a discussion arose among the developers, in which it was proposed to eliminate the problem by disabling the default blocking mode of the getrandom () call with the addition of an optional flag to wait for entropy, but such a change will affect the quality of random numbers at the initial stage of loading. In the change rollback commit, Linus noted that he plans to bring the optimization back as soon as the problem with getrandom () is resolved.

The new version adopted 15794 patches from 1974 developers, the patch size is 92 MB (the changes affected 13986 files, 258419 lines of code were added, 599137 lines were deleted). About 39% of all the changes presented in 5.3 are related to device drivers, about 12% of changes are related to updating the code specific to hardware architectures, 11% are connected to the network stack, 3% to file systems and 3% to internal kernel subsystems.

Get more information about the new features and from the mailing.