Kambani yeEdera, iyo inogadzira mhinduro dzekuchengetedza Kubernetes masisitimu uye AI masisitimu, yakaunza OpenPaX chirongwa, inova seti yezvigamba zveLinux kernel nekushandiswa kwenzira dzekupokana nekushandiswa kwekusagadzikana kunokonzerwa nekukanganisa kana uchishanda nendangariro. OpenPaX inomisikidzwa seyakagadziriswa analogue yePaX package yakaiswa kubva kuGrsecurity purojekiti, iyo kubvira 2017 yakangopihwa sechikamu chechigadzirwa chakabhadharwa. OpenPaX budiriro yakavhurika pasi peGPLv2 rezinesi.
Vagadziri veAlpine Linux kugovera vanotarisira kupa kuyedza kuvaka kwekernel neOpenPaX zvigamba mukuburitswa kunotevera 3.21, uye mukuburitswa 3.22 kuiendesa kuchikamu chezvakajairwa sarudzo. OpenPaX inogona zvakare kushandiswa neGentoo uye Arch Linux kugovera, iyo yakambopa akasiyana eLinux kernel ine PaX zvigamba. Vagadziri veOpenPaX vanotarisirawo kuendesa mamwe ekuchengetedza nzira dzavakagadzira kuita iyo huru kernel.
Pakati pezvinhu zvinoshandiswa muOpenPaX, tinogona kuona kushandiswa kweW ^ X (nyora XOR execute) kana uchigadzira mapeji ekurangarira, izvo zvisingabvumidze kugadzirwa kwemapeji ekurangarira anowanikwa panguva imwe chete kunyora nekuita, uye zvakare anovhara kuchinja. rudzi rwemepu yepeji kubva pakunyora kusvika pakuitwa. OpenPaX inewo emulation mechanism inobvumidza iwe kushandisa stack uye murwi, umo kodhi kuuraya inorambidzwa, ine trampoline mabasa, semuenzaniso, ayo anogadzirwa ne libffi kana GCC (chinokosha che trampolines ndechekuti kodhi yekudaidza nested kana basa rekunze rinogadzirwa zvine simba uye rinoitwa pane stack ). Trampolines inoteedzerwa nekutambisa kukanganisa kwepeji paunenge uchiedza kumhanya kodhi mune isingaite-executable ndangariro uye emulating kusvetuka.
Sezvo nzira dzekudzivirira dzakaitwa dzinogona kukanganisa kushanda kwakajairwa kweJIT compilers, zvinogoneka kushandisa xattr uye paxmark utility kusarudza kudzora kuisirwa kweOpenPaX maficha ane chekuita nemafaira anogona kuitwa. OpenPaX soft activation mode inowanikwawo (sysctl kernel.pax.softmode=1), umo OpenPaX inovharwa nekusagadzika, asi inogona kuitwa yakasarudzika kune yega maapplication anoda kuchengetedzwa.
Uyezve, tinogona kucherechedza kusunungurwa kweLKRG 0.9.9 kernel module, yakagadzirwa neOpenwall project uye yakagadzirirwa kuona nekuvhara kurwisa, pamwe nekudzivirira kukanganisa kwekuvimbika kwezvivakwa zvekernel. Semuenzaniso, iyo module inogona kudzivirira kubva kune isingatenderwe shanduko kune inomhanya kernel uye kuyedza kushandura mvumo yevashandisi maitiro (kuona kushandiswa kwemaitiro). Iyo module inokodzera zvese kuronga dziviriro kubva kune zvakatozivikanwa Linux kernel vulnerabilities (somuenzaniso, mumamiriro ezvinhu apo zvakaoma kugadzirisa kernel muhurongwa), uye yekuverengera zviitiko kune izvo zvisati zvazivikanwa kusagadzikana. Iyo kodhi yeprojekiti yakagoverwa pasi peGPLv2 rezinesi. Iwe unogona kuverenga nezve maficha ekuitwa kweLKRG mukuzivisa kwekutanga kweprojekiti. Shanduro itsva inopa kuenderana neLinux kernels 5.10.220+, 6.10.10+, 6.11 uye 6.12-rc, pamwe nemapakeji ane 5.14.0-470.el9+ kernel inopihwa neCentOS Stream 9 uye RHEL 9. Kuenderana nekernels yakaunganidzwa mu "CONFIG_JUMP_LABEL" modhi pane masisitimu ane ARM64 architecture.
Source: opennet.ru
