LKRG blocks bpfilter_umh

lkrg-org / lkrg

Linux Kernel Runtime Guard

https://lkrg.org

Other

402 stars 72 forks source link

LKRG blocks bpfilter_umh #263

Open geaaru opened 1 year ago

geaaru commented 1 year ago

Hi, I integrated LKRG with Macaroni OS (that is a Gentoo/Funtoo-based system) and I'm opening this issue just to understand if this is an issue or not:

[105287.146863] LKRG: ALERT: BLOCK: UMH: Executing program name bpfilter_umh
[105287.203415] LKRG: ALERT: BLOCK: UMH: Executing program name bpfilter_umh

This message starts to be generated when LXD is started probably because it tries to use nftable that is processed by bpfilter_umh (if I understood correctly the behavior of bpfilter_umh). So the question is: is it correct that LKRG blocks bpfilter_umh execution?

Disabling UMH validation quiets kernel messages but I'm not sure that this is correct.

# sysctl -a | grep umh
lkrg.umh_enforce = 1
lkrg.umh_validate = 0

Thanks for any feedback

solardiz commented 1 year ago

Hi @geaaru. This looks like how #19 manifests itself on more recent kernels than we looked at back then. As you can see, that issue is still not addressed. So if you need bpfilter_umh to work, you need to disable UMH validation or enforcement.

We didn't yet look into what exact functionality is lost when bpfilter_umh is blocked (e.g., is it possibly a security risk to block it, if that causes some filter rules not to be set up?), so we don't yet know what our desired default would be (when we have the code to control this).

Simply allowing the name bpfilter_umh without a further check isn't a good idea since it'd also match a possible program binary of that name in the current directory, which could be used for attacks relying in UMH. We'd need to add a check that the program being executed actually comes from the kernel itself and not from an external file.

geaaru commented 1 year ago

@solardiz hey, thank you very much for your fast feedback. I wasn't sure that was the same thing described in #19 . FWIS the bpfilter_umh is executed in the kernel to translate the nftable rules in a jit bytecode that is used as an alternative of iptables netfilter stack. But I'm not sure about this. I could be at fault. So, stopping this with LXD (when the nftable tool is used) probably avoids configuring rules. But, atm in Macaroni the nftable version doesn't work with LXD that fallback into iptables mode and I can't confirm this. I will try to do some more tests to improve this issue description. Thanks again.

solardiz commented 3 months ago

In related news, bpfilter is now removed from Linux 6.8+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98e20e5e13d2