The Linux Kernel Runtime Guard (LKRG) is a kernel module that checks the Linux kernel while it’s running. It looks for signs of tampering and tries to catch attempts to exploit security flaws in the kernel. Because it’s a module and not a patch, LKRG can run on many different kernels without any changes to them. It works with versions going back to RHEL7 and its variants, as well as the latest mainline and distribution kernels.
Linux Kernel Runtime Guard 1.0.0
After more than seven years of development since its first public release in 2018, the Linux Kernel Runtime Guard has reached a major milestone. The team has officially released version 1.0.0, marking the project as stable and mature.
The LKRG 1.0.0 release brings a range of updates focused on broader kernel compatibility, performance improvements, and better reliability. It now supports the latest mainline Linux kernels, tested up to version 6.17-rc4, and introduces changes to work smoothly with Linux 6.13 and above, including adjustments to how credential pointer overwrite attacks are detected. On older kernels, LKRG now checks for these attacks in more places for stronger protection.
This release also cleans up and streamlines the codebase, removing unnecessary tracking of credentials that aren’t validated and reducing the overall size by about 1,500 lines. Support for newer kernel features like OverlayFS ovl_tmpfile (needed for container workloads on Linux 6.10 to 6.12) has been added, along with compatibility for Intel CET IBT and KCFI on x86_64 systems.
Performance and stability have been improved by switching many hooks from kretprobes to simpler kprobes, overhauling how per-task shadow data is managed with finer-grained locking, and making certain lookups lockless for speed. Several race conditions and bugs have been fixed, including issues with seccomp handling and namespace validation, reducing false positives and crashes.
Additional updates include better clang support, though GCC remains the officially supported compiler, optional kprobe testing to address issues on recent Gentoo systems, and improved log handling. Continuous Integration has also been expanded, with Fedora now used for latest mainline testing and added support for newer Ubuntu releases, while CentOS 7 testing has been maintained past its end-of-life.
Overall, LKRG 1.0.0 marks a significant step forward in stability, performance, and compatibility, setting a solid foundation for future development.
LKRG 1.0.0 download
Linux Kernel Runtime Guard 1.0.0 has been tested with Linux kernels from RHEL/CentOS 7’s 3.10.0-1160 and up to Fedora’s build of 6.17.0-0.rc4.36.fc44.x86_64. It currently supports the x86-64, 32-bit x86, AArch64 (ARM64), and 32-bit ARM CPU architectures.
LKRG 1.0.0 is available for free here.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
Source link
