lkrg icon indicating copy to clipboard operation
lkrg copied to clipboard
verified publisher icon lkrg-org

LKRG Fails to Hook do_seccomp() Due to Compiler Inlining on Kernel 4.19.246

Open Ssspade opened this issue 5 months ago • 3 comments

When insmod lkrg.ko on Linux kernel version 4.19.246, initialization fails due to inability to hook the do_seccomp()function. The error log indicates:

[   61.723875] LKRG: ALIVE: Loading LKRG
[   61.747867] Freezing user space processes ... (elapsed 0.001 seconds) done.
[   61.755992] OOM killer disabled.
[   61.781892] LKRG: ISSUE: register_k[ret]probe() for do_seccomp failed! [err=-2]
[   61.789190] LKRG: FATAL: Can't hook seccomp
[   61.793360] LKRG: FATAL: Can't initialize exploit detection features
[   61.799702] LKRG: DYING: Not loading LKRG (initialization failed)

I found that the do_seccomp() has been inlined by the compiler in this kernel version, and its symbol is not available in the kernel symbol table, so LKRG's kprobe mechanism cannot resolve the function address.

Ssspade avatar Nov 19 '25 09:11 Ssspade

Thanks. Is this kernel build from a distro, or your own custom build? You could use our scripts/add-exports.sh.

solardiz avatar Nov 19 '25 10:11 solardiz

Yes, it's my own custom build, based directly on the upstream kernel source.

Ssspade avatar Nov 20 '25 09:11 Ssspade

What compiler/version/options did you build the kernel with?

solardiz avatar Nov 20 '25 17:11 solardiz