From 8722a7ed889c8a824cd94d63ff3f88f10275fcf0 Mon Sep 17 00:00:00 2001 From: Joe Lawrence Date: Mon, 6 Feb 2017 13:51:53 -0500 Subject: [PATCH] readme: update taint flag info --- README.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1d00b0e..dbc91eb 100644 --- a/README.md +++ b/README.md @@ -443,8 +443,7 @@ kpatch-build already works with both livepatch and kpatch. If your kernel has CONFIG\_LIVEPATCH enabled, it detects that and builds a patch module in the livepatch format. Otherwise it builds a kpatch patch module. -Soon the kpatch script will also support both patch module formats (TODO issue -[#479](https://github.com/dynup/kpatch/issues/479)). +The kpatch script also supports both patch module formats. **Q. Isn't this just a virus/rootkit injection framework?** @@ -454,11 +453,10 @@ ability to arbitrarily modify the kernel, with or without kpatch. **Q. How can I detect if somebody has patched the kernel?** -When a patch module is loaded, the `TAINT_USER` flag is set. To test for it, -`cat /proc/sys/kernel/tainted` and check to see if the value of 64 has been -OR'ed in. - -Eventually we hope to have a dedicated `TAINT_KPATCH` flag instead. +When a patch module is loaded, the `TAINT_USER` or `TAINT_LIVEPATCH` flag is +set. (The latter flag was introduced in Linux version 4.0.) To test for +these flags, `cat /proc/sys/kernel/tainted` and check to see if the value of +`TAINT_USER` (64) or `TAINT_LIVEPATCH` (32768) has been OR'ed in. Note that the `TAINT_OOT_MODULE` flag (4096) will also be set, since the patch module is built outside the Linux kernel source tree. @@ -467,6 +465,11 @@ If your patch module is unsigned, the `TAINT_FORCED_MODULE` flag (2) will also be set. Starting with Linux 3.15, this will be changed to the more specific `TAINT_UNSIGNED_MODULE` (8192). +Linux versions starting with 4.9 also support a per-module `TAINT_LIVEPATCH` +taint flag. This can be checked by verifying the output of +`cat /sys/module//taint` -- a 'K' character indicates the +presence of `TAINT_LIVEPATCH`. + **Q. Will it destabilize my system?** No, as long as the patch is chosen carefully. See the Limitations section