From 257cef24baa038b21ef511e9d95c4229a5e16f68 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 24 Jul 2021 18:03:40 -0400
Subject: [PATCH] add LKRG compatibility settings automation for VirtualBox
 hosts

https://github.com/openwall/lkrg/issues/82
---
 .../system/lkrg.service.d/40-virtualbox.conf  |  5 +++
 .../lkrg/30-lkrg-virtualbox.conf              | 31 +++++++++++++++++++
 usr/share/security-misc/lkrg/lkrg-virtualbox  | 24 ++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 lib/systemd/system/lkrg.service.d/40-virtualbox.conf
 create mode 100644 usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
 create mode 100755 usr/share/security-misc/lkrg/lkrg-virtualbox

diff --git a/lib/systemd/system/lkrg.service.d/40-virtualbox.conf b/lib/systemd/system/lkrg.service.d/40-virtualbox.conf
new file mode 100644
index 0000000..346f861
--- /dev/null
+++ b/lib/systemd/system/lkrg.service.d/40-virtualbox.conf
@@ -0,0 +1,5 @@
+## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Service]
+ExecStartPre=/usr/share/security-misc/lkrg/lkrg-virtualbox
diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
new file mode 100644
index 0000000..c5d72b1
--- /dev/null
+++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
@@ -0,0 +1,31 @@
+## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## DO NOT EDIT THIS FILE /etc/sysctl.d/30-lkrg-dkms.conf AS EDITS WILL BE LOST!
+## This is an auto generated file.
+
+## Please use "/etc/sysctl.d/50-user.conf" for your custom
+## configuration, which will override the defaults found here.
+
+## gets copied from:
+## /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
+## to:
+## /etc/sysctl.d/30-lkrg-virtualbox.conf
+## by package security-misc, files:
+## /usr/share/security-misc/lkrg/lkrg-virtualbox
+## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf
+
+## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32
+## https://www.openwall.com/lists/lkrg-users/2020/01/24/2
+## https://www.openwall.com/lists/lkrg-users/2020/01/25/2
+## https://github.com/openwall/lkrg/issues/82
+## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf
+## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service
+## /etc/sysctl.d/30-lkrg-dkms.conf
+## /lib/systemd/system/lkrg.service
+
+## Already LKRG upstream default.
+#lkrg.msr_validate = 0
+
+lkrg.pcfi_validate = 1
+lkrg.profile_validate = 2
diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox
new file mode 100755
index 0000000..30a114a
--- /dev/null
+++ b/usr/share/security-misc/lkrg/lkrg-virtualbox
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+set -x
+set -e
+
+if ! command -v vboxmanage &>/dev/null ; then
+   if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then
+      rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf
+   fi
+   exit 0
+fi
+
+if ! test -d /etc/sysctl.d ; then
+   exit 0
+fi
+
+if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then
+   exit 0
+fi
+
+cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf