The Linux Kernel Runtime Guard (LKRG), maintained under the Openwall project, has officially reached version 1.0, more than seven years after its first public release in 2018.
If you are not familiar with it, LKRG is a kernel module that acts as a security layer for the Linux kernel. Its main job is to monitor the kernel while it’s running and catch anything that looks suspicious or unsafe.
For example, if an attacker tries to exploit a kernel vulnerability by overwriting kernel credentials or altering kernel memory, LKRG can detect that behavior. When it finds something abnormal, it can log it, kill the offending process, or take other defensive measures depending on its configuration.
In other words, LKRG doesn’t replace other security features like SELinux or AppArmor, but rather complements them by adding checks at the kernel level. Now, back to the topic.
Between versions 0.9.9 and 1.0, several major changes landed. LKRG now supports the latest mainline Linux kernels, tested up to 6.17-rc4. Adjustments were made for Linux 6.13 and newer, including dropping hooks for override_creds() and revert_creds(), while expanding credential pointer overwrite checks in other places for older kernels.
OverlayFS compatibility was also improved, specifically to avoid false positives when running containers on 6.10 through 6.12. Plus, the codebase is now leaner, with roughly 2,400 fewer lines than before.
On the performance side, per-task shadow data lookups are now lockless, and shadow data locking itself was overhauled with finer-grain locks. Many hooks were switched from kretprobes to kprobes, improving reliability and speed while also reducing duplicated code. Integrity violation checks were wrapped in unlikely(), keeping hot paths clean of unnecessary cache clutter.
Moreover, LKRG 1.0 fixes several race conditions, including those involving SECCOMP filters, namespace validation, and sysctl changes. False positives related to seccomp mode corruption on newer kernels were also resolved. In addition, LKRG improved compatibility with Intel CET IBT and Clang’s KCFI on x86_64, though GCC remains the officially supported compiler.
Other notable updates include hardened builds for LKRG’s userland logger tools, better error reporting, and adjustments to CI testing. According to devs, tests now cover Fedora with the latest mainline kernels, Ubuntu 24.04 LTS through 25.10, and legacy CentOS 7 despite its end of life.
Updated packages are already available via the Rocky Linux SIG/Security repository, with builds for Rocky Linux 9.6 and 8.10 soon to be pushed out. These packages are also compatible with other Enterprise Linux distributions, including AlmaLinux and RHEL 8/9.
For more information, see the announcement.
