Linux Kernel Runtime Guard 0.8 Released

Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. LKRG is a kernel module (not a kernel patch), so it can be built for and loaded on top of a wide range of mainline and distros’ kernels, without needing to patch those.

After almost a year since the previous release, Linux Kernel Runtime Guard (LKRG) version 0.8 is finally available. The following major changes have been made between LKRG 0.7 and 0.8:

  • Add support for kernels 5.3+ (JUMP_LABEL batch mode), 5.5+ and 5.6+ (other changes in JUMP_LABEL), 5.7+ (non-exported kallsyms_lookup_name symbol)
  • Add support for ACPI S3 (suspend to RAM) and S4 (suspend to disk)
  • Add support for DKMS to Makefile
  • Add more hooks, most notably on capable() for more likely timely detection of exploits that mess with capabilities rather than credentials
  • New logic for detection of namespace escapes (e.g., from Docker containers)
  • Rework the optional systemd unit file so that LKRG is loaded at an earlier stage of system bootup, but can be disabled via the kernel command-line
  • Add experimental support for Raspberry Pi 4 and 32-bit ARM

Like before, this release is mostly due to work by Adam ‘pi3’ Zabrocki.

If you would like to see the full list of changes, please visit announcement.

Team Linuxiac
Team Linuxiac

Leave a Reply

Your email address will not be published. Required fields are marked *