What’s New in Linux Kernel Runtime Guard 1.0? A Deep Dive into Enhanced Security

21CTO editorial: after more than seven years of development, Linux Kernel Runtime Guard (LKRG) finally reaches version 1.0, bringing support for kernel 6.17, bug fixes, performance enhancements, and code cleanup.

Maintained by the Openwall project, LKRG is a kernel module that acts as a security layer for the Linux kernel, monitoring runtime behavior and capturing suspicious or unsafe actions.

For example, if an attacker tries to exploit a kernel vulnerability by overwriting credentials or modifying kernel memory, LKRG can detect the activity, log it, terminate the offending process, or take other configured defensive actions.

LKRG does not replace SELinux or AppArmor; instead, it supplements them by adding additional checks at the kernel level.

Between versions 0.9.9 and 1.0, LKRG underwent major improvements: it now supports the latest mainstream Linux kernels (tested up to 6.17‑rc4) and includes adjustments for Linux 6.13 and newer, such as removing the override_creds() and revert_creds() hooks and extending credential‑pointer overwrite checks for older kernels.

OverlayFS compatibility has also been enhanced, especially when running containers on kernels 6.10 to 6.12, reducing false positives.

The codebase is now leaner, shrinking by roughly 2,400 lines.

Performance gains include lock‑free shadow data lookups per task, finer‑grained shadow data locks, and many hooks switching from kretprobes to kprobes for better reliability and speed. Integrity violation checks are wrapped in unlikely(), keeping hot paths free from unnecessary cache contention.

LKRG 1.0 also fixes several race conditions involving SECCOMP filters, namespace validation, and sysctl changes, and resolves false positives related to seccomp mode corruption on newer kernels. Compatibility with Intel CET IBT on x86_64 and Clang’s KCFI has been improved, though GCC remains the officially supported compiler.

Other notable updates include a hardened user‑space logging tool, better error reporting, and adjustments to CI testing.

The core developers report that testing now covers the latest mainline kernels on Fedora, Ubuntu 24.04 LTS through 25.10, as well as the legacy CentOS 7.

Updated packages are available through the Rocky Linux SIG/Security repository, with releases for Rocky Linux 9.6 and 8.10 imminent, and they are also compatible with other enterprise‑grade distributions such as AlmaLinux and RHEL 8/9.

With these improvements, Linux systems can now enjoy a higher level of security.

Related URL: https://lkrg.org/