Atomicorp

With Kernel Care installed, I should be able to apply kernel patch by executing

`kcarectl --update`

However, it gives this error:

Updates already downloaded
Updates already downloaded
rmmod: ERROR: could not remove 'kcare': Operation not permitted
rmmod: ERROR: could not remove module kcare: Operation not permitted
Unable to unload kcare kmod 1

Below is my kernel configuration from /etc/asl/config, please advise what needs to change to allow `kcarectl` to work.

# Kernel configuration.
ALLOW_kmod_loading="yes"
MAX_USER_WATCHES="16384"
GRKERNSEC_DISABLE_PAX="no"
GRKERNSEC_DETER_BRUTEFORCE="no"
GRKERNSEC_CONSISTENT_SETXID="yes"
ENABLE_TPE="yes"
TPE_GROUP_POLICY="untrusted"
TPE_UNTRUSTED_USERS=""
TPE_TRUSTED_USERS=""
DISABLE_PRIVILEGED_IO="no"
AUDIT_MOUNT="no"
AUDIT_CHDIR="no"
AUDIT_PTRACE="yes"
AUDIT_TEXTREL="no"
CHROOT_CAPS="yes"
CHROOT_DENY_CHMOD="yes"
CHROOT_DENY_CHROOT="yes"
CHROOT_DENY_FCHDIR="yes"
CHROOT_DENY_MKNOD="yes"
CHROOT_DENY_MOUNT="yes"
CHROOT_DENY_PIVOT="yes"
CHROOT_DENY_SHMAT="yes"
CHROOT_DENY_SYSCTL="yes"
CHROOT_DENY_UNIX="yes"
CHROOT_ENFORCE_CHDIR="yes"
CHROOT_EXECLOG="no"
CHROOT_FINDTASK="yes"
CHROOT_RESTRICT_NICE="yes"
EXEC_LOGGING="no"
EXEC_LOG_USERS=""
DMESG="yes"
EXECVE_LIMITING="yes"
FIFO_RESTRICTIONS="yes"
FORKFAIL_LOGGING="yes"
HARDEN_PTRACE="yes"
IP_BLACKHOLE="yes"
LASTACK_RETRIES="4"
LINKING_RESTRICTIONS="yes"
RESOURCE_LOGGING="yes"
ROMOUNT_PROTECT="no"
RWXMAP_LOGGING="yes"
SIGNAL_LOGGING="yes"
SOCKET_ALL="yes"
SOCKET_USERS=""
SOCKET_CLIENT="yes"
SOCKET_CLIENT_USERS=""
SOCKET_SERVER="yes"
SOCKET_SERVER_USERS=""
TIMECHANGE_LOGGING="yes"

You dont need to use that with the ASL kernel, the ASL kernel is rebootless and does not need third party kernel patching tools. It will automatically patch itself in the very rare case when a patch is necessary.

However, those of us who are using other kernels such as CloudLinux *do* need to do this, which I think is what the OP was asking for.
This is something I could use as well, as I see this on my systems too.

First guess would be that if you change

ALLOW_kmod_loading="yes"

that you need to reboot before it lets you actually do it - or does this setting have no effect when using non ASL kernels?

ping

That may be what you need to do. I would check with kernelcare, if you're not using our kernel then that setting is just asking whatever kernel you are using lock module loading, and how that works could vary differently and some kernels dont support that capability.