Linus Torvalds as part of the future release of the Linux kernel 5.4 patch set "", David Howells (Red Hat) and Matthew Garrett (, powered by Google) to restrict root access to the kernel. The lockdown-related functionality has been moved to an optionally loaded LSM module () that establishes a barrier between UID 0 and the kernel, restricting certain low-level functionality.
If an attacker achieves code execution with root rights as a result of an attack, then he can execute his code at the kernel level, for example, by replacing the kernel with kexec or reading/writing memory via /dev/kmem. The most obvious consequence of such activity would be UEFI Secure Boot or extraction of sensitive data stored at the kernel level.
Root restriction features were originally developed in the context of hardening verified boot security, and distributions have long used third-party patches to block UEFI Secure Boot bypass. At the same time, such restrictions were not included in the main composition of the core due to in their implementation and fears of disruption of existing systems. The "lockdown" module incorporated patches already used in distributions, which were redesigned in the form of a separate subsystem that is not tied to UEFI Secure Boot.
Lockdown restricts access to /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), some ACPI interfaces, and CPU MSR registers, kexec_file and kexec_load calls are blocked, hibernation is prohibited, DMA usage for PCI devices is limited, ACPI code import from EFI variables is prohibited,
I/O port manipulation is not allowed, including changing the interrupt number and I/O port for the serial port.
The lockdown module is inactive by default, built by specifying the SECURITY_LOCKDOWN_LSM option in kconfig, and enabled via the lockdown= kernel parameter, the /sys/kernel/security/lockdown control file, or build options , which can take the values "integrity" and "confidentiality". The former disables features that allow changes to the running kernel from user space, while the latter also disables functionality that can be used to extract sensitive information from the kernel.
At the same time, it is important to note that lockdown only limits the regular access to the kernel, but does not protect against modifications as a result of exploitation of vulnerabilities. To block changes to the running kernel when using exploits by the Openwall project separate module (Linux Kernel Runtime Guard).
Source: opennet.ru