Linus Torvalds Kuphatikizidwa pakutulutsidwa komwe kukubwera kwa Linux 5.4 kernel ndi zigamba "", David Howells (Red Hat) ndi Matthew Garrett (, imagwira ntchito pa Google) kuletsa ogwiritsa ntchito mizu kulowa mu kernel. Zochita zokhudzana ndi Lockdown zikuphatikizidwa mu gawo la LSM lomwe mwasankha.), yomwe imayika chotchinga pakati pa UID 0 ndi kernel, kuletsa magwiridwe antchito apansi.
Ngati wowukirayo akwaniritsa ma code ndi ufulu wa mizu, amatha kuyika nambala yake pamlingo wa kernel, mwachitsanzo, posintha kernel pogwiritsa ntchito kexec kapena kuwerenga / kulemba kukumbukira kudzera /dev/kmem. Chotsatira chodziwika bwino cha ntchito yotereyi chingakhale UEFI Safe Boot kapena kubwezeretsanso deta yosungidwa pamlingo wa kernel.
Poyambirira, ntchito zoletsa mizu zidapangidwa polimbikitsa chitetezo cha boot yotsimikizika, ndipo magawo akhala akugwiritsa ntchito zigamba za gulu lachitatu kuti aletse kudutsa kwa UEFI Secure Boot kwa nthawi yayitali. Nthawi yomweyo, zoletsa zotere sizinaphatikizidwe muzolemba zazikulu za kernel chifukwa cha pakukhazikitsa kwawo komanso kuopa kusokoneza machitidwe omwe alipo. Module ya "Lockdown" idatenga zigamba zomwe zidagwiritsidwa kale ntchito pogawa, zomwe zidasinthidwanso ngati kagawo kakang'ono kosagwirizana ndi UEFI Secure Boot.
Lockdown mode imalepheretsa kulowa / dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Kapangidwe ka Chidziwitso Chamakhadi), malo ena a ACPI ndi CPU Zolembera za MSR, kexec_file ndi kexec_load mafoni atsekedwa, njira yogona ndiyoletsedwa, kugwiritsa ntchito DMA pazida za PCI ndizochepa, ACPI code kuitanitsa kuchokera kumitundu ya EFI ndikoletsedwa,
Kuwongolera ndi madoko a I/O sikuloledwa, kuphatikiza kusintha nambala yosokoneza ndi doko la I/O padoko la serial.
Mwachikhazikitso, gawo lotsekera silikugwira ntchito, limamangidwa pomwe njira ya SECURITY_LOCKDOWN_LSM yafotokozedwa mu kconfig ndipo imayendetsedwa kudzera pa kernel parameter "lockdown =", fayilo yolamulira "/ sys/kernel/chitetezo/lockdown" kapena zosankha za msonkhano. , zomwe zingatengere "umphumphu" ndi "chinsinsi". Pachiyambi choyamba, zinthu zomwe zimalola kusintha kwa kernel yothamanga kuchokera kumalo ogwiritsira ntchito zimatsekedwa, ndipo kachiwiri, ntchito zomwe zingagwiritsidwe ntchito kuchotsa zidziwitso zachinsinsi kuchokera ku kernel zimayimitsidwanso.
Ndikofunika kuzindikira kuti kutseka kumangochepetsa mwayi wofikira ku kernel, koma sikuteteza ku zosinthidwa chifukwa chogwiritsa ntchito ziwopsezo. Kuletsa kusintha kwa kernel yomwe ikuyendetsa pamene zochitika zimagwiritsidwa ntchito ndi polojekiti ya Openwall osiyana module (Linux Kernel Runtime Guard).
Source: opennet.ru