Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. LKRG is a kernel module (not a kernel patch), so it can be built for and loaded on top of a wide range of mainline and distros’ kernels, without needing to patch those.
After almost a year since the previous release, Linux Kernel Runtime Guard (LKRG) version 0.8 is finally available. The following major changes have been made between LKRG 0.7 and 0.8:
- Add support for kernels 5.3+ (JUMP_LABEL batch mode), 5.5+ and 5.6+ (other changes in JUMP_LABEL), 5.7+ (non-exported kallsyms_lookup_name symbol)
- Add support for ACPI S3 (suspend to RAM) and S4 (suspend to disk)
- Add support for DKMS to Makefile
- Add more hooks, most notably on capable() for more likely timely detection of exploits that mess with capabilities rather than credentials
- New logic for detection of namespace escapes (e.g., from Docker containers)
- Rework the optional systemd unit file so that LKRG is loaded at an earlier stage of system bootup, but can be disabled via the kernel command-line
- Add experimental support for Raspberry Pi 4 and 32-bit ARM
Like before, this release is mostly due to work by Adam ‘pi3’ Zabrocki.
If you would like to see the full list of changes, please visit announcement.