Hoton Linus Torvalds wanda aka haɗa a cikin fitowar mai zuwa na Linux 5.4 kernel saitin faci ne"« David Howells (Red Hat) da Matthew Garrett (, yana aiki a Google) don ƙuntata tushen mai amfani zuwa kernel. Ayyukan da ke da alaƙa da kullewa an haɗa su a cikin ƙirar LSM da aka ɗorawa na zaɓi (), wanda ke sanya shamaki tsakanin UID 0 da kernel, yana taƙaita wasu ƙananan ayyuka.
Idan maharin ya sami nasarar aiwatar da lambar tare da haƙƙin tushen, zai iya aiwatar da lambar sa a matakin kwaya, misali, ta maye gurbin kwaya ta amfani da kexec ko karantawa/rubutu ƙwaƙwalwar ajiya ta /dev/kmem. Mafi bayyananne sakamakon irin wannan aikin na iya zama UEFI Secure Boot ko maido da mahimman bayanai da aka adana a matakin kernel.
Da farko, an haɓaka ayyukan ƙuntata tushen tushen a cikin mahallin ƙarfafa kariyar ingantaccen boot, kuma rarrabawa suna amfani da faci na ɓangare na uku don toshe ƙetare na UEFI Secure Boot na ɗan lokaci kaɗan. A lokaci guda, irin waɗannan ƙuntatawa ba a haɗa su a cikin babban abun da ke ciki na kwaya ba saboda a cikin aiwatar da su da kuma tsoron rushewar tsarin da ake da su. Tsarin “kulle” wanda aka riga aka yi amfani da shi a cikin rarrabawa, waɗanda aka sake tsara su ta hanyar wani tsari na daban wanda ba a haɗa shi da UEFI Secure Boot ba.
Yanayin kullewa yana ƙuntata samun dama ga / dev/mem, / dev/kmem, / dev/port, /proc/kcore, debugfs, kprobes debug yanayin, mmiotrace, tracefs, BPF, PCMCIA CIS (Tsarin Bayanin Katin), wasu hanyoyin ACPI da CPU Rijistar MSR, kiran kexec_file da kexec_load an toshe, an hana yanayin bacci, amfani da DMA don na'urorin PCI yana da iyaka, an hana shigo da lambar ACPI daga masu canjin EFI,
Ba a yarda da yin amfani da tashoshin I/O ba, gami da canza lambar katsewa da tashar I/O don tashar tashar jiragen ruwa.
Ta hanyar tsoho, tsarin kulle ba ya aiki, an gina shi lokacin da aka ƙayyade zaɓi na SECURITY_LOCKDOWN_LSM a cikin kconfig kuma ana kunna shi ta hanyar sigar kernel "lockdown =", fayil ɗin sarrafawa "/ sys / kernel / tsaro / kullewa" ko zaɓuɓɓukan taro. , wanda zai iya ɗaukar dabi'u "mutunci" da "aminci". A cikin yanayin farko, abubuwan da ke ba da damar yin canje-canje ga kernel mai gudana daga sararin mai amfani ana toshe su, kuma a cikin yanayi na biyu, aikin da za a iya amfani da shi don fitar da bayanai masu mahimmanci daga kernel shima yana da rauni.
Yana da mahimmanci a lura cewa kullewa yana iyakance daidaitaccen damar zuwa kwaya ne kawai, amma baya karewa daga gyare-gyare sakamakon amfani da lahani. Don toshe canje-canje ga kernel mai gudana lokacin da aikin Openwall ke amfani da abubuwan amfani daban module (Linux Kernel Runtime Guard).
source: budenet.ru