Linux Kernel Runtime Guard 0.8 Released

Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. LKRG is a kernel module (not a kernel patch), so it can be built for and loaded on top of a wide range of mainline and distros’ kernels, without needing to patch those.

After almost a year since the previous release, Linux Kernel Runtime Guard (LKRG) version 0.8 is finally available. The following major changes have been made between LKRG 0.7 and 0.8:

  • Add support for kernels 5.3+ (JUMP_LABEL batch mode), 5.5+ and 5.6+ (other changes in JUMP_LABEL), 5.7+ (non-exported kallsyms_lookup_name symbol)
  • Add support for ACPI S3 (suspend to RAM) and S4 (suspend to disk)
  • Add support for DKMS to Makefile
  • Add more hooks, most notably on capable() for more likely timely detection of exploits that mess with capabilities rather than credentials
  • New logic for detection of namespace escapes (e.g., from Docker containers)
  • Rework the optional systemd unit file so that LKRG is loaded at an earlier stage of system bootup, but can be disabled via the kernel command-line
  • Add experimental support for Raspberry Pi 4 and 32-bit ARM

Like before, this release is mostly due to work by Adam ‘pi3’ Zabrocki.

If you would like to see the full list of changes, please visit announcement.

Leave a Reply

Your email address will not be published.