Linus Torvalds
Ngati wowukirayo akwaniritsa ma code ndi ufulu wa mizu, amatha kuyika nambala yake pamlingo wa kernel, mwachitsanzo, posintha kernel pogwiritsa ntchito kexec kapena kuwerenga / kulemba kukumbukira kudzera /dev/kmem. Chotsatira chodziwika bwino cha ntchito yotereyi chingakhale
Poyambirira, ntchito zoletsa mizu zidapangidwa polimbikitsa chitetezo cha boot yotsimikizika, ndipo magawo akhala akugwiritsa ntchito zigamba za gulu lachitatu kuti aletse kudutsa kwa UEFI Secure Boot kwa nthawi yayitali. Nthawi yomweyo, zoletsa zotere sizinaphatikizidwe muzolemba zazikulu za kernel chifukwa cha
Lockdown mode imalepheretsa kulowa / dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Kapangidwe ka Chidziwitso Chamakhadi), malo ena a ACPI ndi CPU Zolembera za MSR, kexec_file ndi kexec_load mafoni atsekedwa, njira yogona ndiyoletsedwa, kugwiritsa ntchito DMA pazida za PCI ndizochepa, ACPI code kuitanitsa kuchokera kumitundu ya EFI ndikoletsedwa,
Kuwongolera ndi madoko a I/O sikuloledwa, kuphatikiza kusintha nambala yosokoneza ndi doko la I/O padoko la serial.
Mwachikhazikitso, gawo lotsekera silikugwira ntchito, limamangidwa pomwe njira ya SECURITY_LOCKDOWN_LSM yafotokozedwa mu kconfig ndipo imayendetsedwa kudzera pa kernel parameter "lockdown =", fayilo yolamulira "/ sys/kernel/chitetezo/lockdown" kapena zosankha za msonkhano.
Ndikofunika kuzindikira kuti kutseka kumangochepetsa mwayi wofikira ku kernel, koma sikuteteza ku zosinthidwa chifukwa chogwiritsa ntchito ziwopsezo. Kuletsa kusintha kwa kernel yomwe ikuyendetsa pamene zochitika zimagwiritsidwa ntchito ndi polojekiti ya Openwall
Source: opennet.ru