Comments (12)
@Adam-pi3 Since getting this fixed properly is taking a long while, maybe you can meanwhile disable the known-buggy functionality in LKRG? That is, exclude "SELinux protection on kernels 5.6+ with GCC_PLUGIN_RANDSTRUCT."
from lkrg.
Here is another case (with additional log verbosity) where a new module was being installed:
[ 1286.684815] SELinux: Converting 945 SID table entries...
[ 1286.698688] SELinux: policy capability network_peer_controls=1
[ 1286.698690] SELinux: policy capability open_perms=1
[ 1286.698691] SELinux: policy capability extended_socket_class=1
[ 1286.698691] SELinux: policy capability always_check_network=0
[ 1286.698692] SELinux: policy capability cgroup_seclabel=1
[ 1286.698693] SELinux: policy capability nnp_nosuid_transition=1
[ 1286.698693] SELinux: policy capability genfs_seclabel_symlinks=0
[ 1286.785698] [p_lkrg] Removing ED pid => 47088
[ 1286.791601] [p_lkrg] Hash from CPUs metadata => [0x8ab44ce6b79e2c1b]
[ 1286.791609] [p_lkrg] Hash from kernel exception table => [0x4e32f2f23073735a]
[ 1286.797523] [p_lkrg] Hash from _stext memory block => [0x2b87b3a42e6fcb00]
[ 1286.800405] [p_lkrg] Hash from _rodata memory block => [0x96717cf3fb49c22d]
[ 1286.800407] [p_lkrg] Hash from IOMMU table => [0xffffffff]
[ 1286.800408] [p_lkrg] Hash from 'module list' => [0xcd82525b9c2cd1fb]
[ 1286.800409] [p_lkrg] Hash from 'module kobj(s)' => [0x40e8e38bc0e48247]
[ 1286.800846] [p_lkrg] <Exploit Detection> Detected data corruption against SELINUX! 'selinux_state->enforcing' has different value [88 vs 216] than expected!
from lkrg.
Do you have enabled GCC_PLUGIN_RANDSTRUCT ?
from lkrg.
Do you have enabled GCC_PLUGIN_RANDSTRUCT ?
Yes.
from lkrg.
Currently, our SELinux protection logic is incompatible with GCC_PLUGIN_RANDSTRUCT since kernel 5.6. Without GCC_PLUGIN_RANDSTRUCT or if GCC_PLUGIN_RANDSTRUCT is enabled but kernel < 5.6 it works fine. We are aware of that and we are working on a proper fix to support SELinux protection on kernels 5.6+ with GCC_PLUGIN_RANDSTRUCT.
@oshogbo is driving this changes.
from lkrg.
In fact, yesterday I've been talking with @oshogbo and reviewing his changes and after some suggestions it work up to the kernel 5.11. We are working now to add support for 5.11+.
maybe you can meanwhile disable the known-buggy functionality in LKRG?
I think we can add it but we would need to revert such changes relatively soon. As soon as 5.11+ support will be done. We can also push the current changes but it won't work for 5.11+
from lkrg.
Great news that progress is being made on this. Not having seen those WIP changes, I don't know how close to being ready they actually are. It may well make sense to disable the broken functionality meanwhile.
from lkrg.
Checking our e-mail discussion from January, besides the issue with RANDSTRUCT there's also the issue with LKRG not supporting CONFIG_SECURITY_SELINUX_DISABLE=n:
You assume CONFIG_SECURITY_SELINUX_DISABLE is defined. If it is not,
then fields shift by one, and LKRG ends up checking "checkreqprot"
instead of "enforcing".
Then, you define the "avc" and "ss" fields where the current revision of
the struct has different fields. Since LKRG doesn't use those fields,
it's sort of fine, but it's better not to even define the unused fields.
Perhaps you can fix this other issue without waiting on @oshogbo?
from lkrg.
Perhaps you can fix this other issue without waiting on @oshogbo?
In fact, the upcoming changes will address it as well. I think it's better to focus more on adding support for 5.11+ and speed-up that work. It will fix all the problems :)
from lkrg.
Does the RANDSTRUCT problem exist when LKRG is built into the kernel with access to the struct layouts at compile time and the seed used?
from lkrg.
@0xC0ncord This issue should be fixed by #57, which is merged. Can you please test and confirm, and if so close the issue? Thanks!
from lkrg.
@solardiz So far I haven't been able to reproduce the issue since building from master and using the same kernel, so it looks to be solved. Hopefully soon we can reinstate SELinux protections when RANDSTRUCT is in use in the future however. Going to close this since the original issue has been resolved.
from lkrg.
Related Issues (20)
- Linux post-6.3: cpufreq_unregister_notifier NULL deref
- kernel.stext integrity check failed due to an error in handling the p_arch_jump_label_transform_entry address on ARM64 HOT 11
- Method for lkrg functional testing HOT 3
- segfault with ibt enabled HOT 1
- build error: Error! Bad return status for module build on kernel HOT 4
- mkosi: No such script: /usr/share/debootstrap/scripts/mantic HOT 5
- Clearer communication around allowing non-standard kernel configurations such as PREEMPT_RT HOT 3
- Build error on post-6.4 kernel: 'struct ctl_table' has no member named 'child' HOT 5
- Setting/unsetting lkrg.hide makes the module appear "in use" and not removable HOT 1
- mkosi-mainline tests failing HOT 2
- mkosi-mainline "Failed to start initrd-switch-root.service - Switch Root." HOT 7
- 3.10.0-ovz-el7: warning: objtool: p_install_switch_idt_hook.cold()+0x0: frame pointer state mismatch HOT 1
- lkrg can not detect and defense the "looney tunable" exploit for glibc HOT 2
- mkosi-mainline fails to download kernel HOT 1
- "_stext hash changed unexpectedly" when loading at boot on RHEL8 HOT 7
- enable github CodeQL vulnerability scanning HOT 1
- compile time flags hardening HOT 2
- Killing task via stale pointer after spurious 'off' flag corruption after UMH blocking HOT 3
- Linux 4.9 aarch64 crash on non-exported function HOT 3
- High CPU load on Debian 12 VM caused by LKRG HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lkrg.