Linus Torvalds
If an attacker achieves code execution with root rights as a result of an attack, then he can execute his code at the kernel level, for example, by replacing the kernel with kexec or reading/writing memory via /dev/kmem. The most obvious consequence of such activity would be
Root restriction features were originally developed in the context of hardening verified boot security, and distributions have long used third-party patches to block UEFI Secure Boot bypass. At the same time, such restrictions were not included in the main composition of the core due to
Lockdown restricts access to /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), some ACPI interfaces, and CPU MSR registers, kexec_file and kexec_load calls are blocked, hibernation is prohibited, DMA usage for PCI devices is limited, ACPI code import from EFI variables is prohibited,
I/O port manipulation is not allowed, including changing the interrupt number and I/O port for the serial port.
The lockdown module is inactive by default, built by specifying the SECURITY_LOCKDOWN_LSM option in kconfig, and enabled via the lockdown= kernel parameter, the /sys/kernel/security/lockdown control file, or build options
At the same time, it is important to note that lockdown only limits the regular access to the kernel, but does not protect against modifications as a result of exploitation of vulnerabilities. To block changes to the running kernel when using exploits by the Openwall project
Source: opennet.ru