Linus Torvalds Iyo inouya Linux kernel 5.4 kuburitswa ichasanganisira seti yezvigamba zvinonzi "", David Howells (anoshanda kuRed Hat) naMatthew Garrett (, inoshanda kuGoogle) kurambidza midzi yevashandisi kuwana kernel. Iyo "lockdown" mashandiro anoendeswa kune inogoneka kurodha LSM module (), iyo inomisikidza chipingamupinyi pakati peUID 0 ne kernel, ichidzora kumwe kushanda kwakaderera.
Kana munhu anorwisa awana kodhi kuuraya neropafadzo dzemidzi semhedzisiro yekurwiswa, saka anogona zvakare kuita kodhi yake pa kernel level, semuenzaniso, nekutsiva kernel ne kexec kana kuverenga / kunyora ndangariro kuburikidza / dev/kmem. Mhedzisiro yakanyatsojeka yebasa rakadaro inogona kuva UEFI Chengetedza Boot kana kuburitsa data rakavanzika rakachengetwa padanho re kernel.
Pakutanga, midzi yekudzivirira mabasa yakagadziridzwa mumamiriro ekusimbisa kuchengetedzwa kwebhoti yakasimbiswa, uye kugovera kwave kushandisa yechitatu-bato zvigamba kuvharira nzira yekupfuura yeUEFI Yakachengeteka Boot kwenguva yakati rebei. Panguva imwecheteyo, zvirambidzo zvakadaro hazvina kubatanidzwa mu kernel huru nekuda kwe mukuita kwavo uye kunetseka pamusoro pekuvhiringidzwa kwehurongwa huripo. Iyo "Lockdown" module yakabatanidza zvigamba zvakatoshandiswa mukugovera, izvo zvakagadziridzwa muchimiro cheyakasarudzika subsystem isina kusungirirwa kuUEFI Yakachengeteka Boot.
Mune yekuvhara maitiro, kuwana ku / dev / mem, / dev / kmem, / dev / chiteshi, / proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Kadhi Ruzivo Rwekuumbwa), mamwe maACPI interfaces uye CPU MSR marejista anorambidzwac_faira mafoni anorambidzwa inorambidzwa, kushandiswa kweDMA kwePCI zvishandiso kune zvishoma, ACPI kodhi yekupinda kubva kuEFI zvinosiyana inorambidzwa,
Kunyengedza kweI/O ports hakubvumidzwe, kusanganisira kuchinja nhamba yekukanganisa uye I/O port yeserial port.
Nekumisikidza, iyo yekuvhara module haisi kushanda, inovakwa kana iyo SECURITY_LOCKDOWN_LSM sarudzo yatsanangurwa mu kconfig uye inoshandiswa kuburikidza ne kernel parameter "lockdown = ", iyo yekudzora faira "/sys/kernel/chengetedzo/lockdown" kana kuvaka sarudzo. , iyo inogona kutora kukosha "kutendeseka" uye "kuvanzika". Muchiitiko chekutanga, masimba anobvumira shanduko kune inomhanya kernel kubva munzvimbo yemushandisi yakavharwa, uye mune yechipiri kesi, mukuwedzera, iyo inoshanda inogona kushandiswa kubvisa zvakavanzika ruzivo kubva kune kernel yakaremara.
Izvo zvakakosha kuti uzive kuti kuvharika kunongoganhurira kuwana nguva dzose kune kernel, asi haidzivirire kubva pakugadziridzwa nekuda kwekushandiswa kwekusagadzikana. Kuvhara shanduko kune inomhanya kernel kana uchishandisa maexploits, iyo Openwall chirongwa akasiyana module (Linux Kernel Runtime Guard).
Source: opennet.ru
