Linus Torvalds inosanganisirwa mukuburitswa kuri kuuya kweLinux 5.4 kernel seti yezvigamba "", David Howells (Red Hat) naMatthew Garrett (, inoshanda kuGoogle) kurambidza midzi yevashandisi kuwana kernel. Lockdown-inoenderana nekuita inosanganisirwa mune yakasarudzika yakarodha LSM module (), iyo inoisa chipingamupinyi pakati peUID 0 ne kernel, ichidzora kumwe kushanda kwakaderera.
Kana munhu anorwisa akawana kodhi kuuraya nekodzero dzemidzi, anogona kuita kodhi yake padanho re kernel, semuenzaniso, nekutsiva kernel uchishandisa kexec kana kuverenga / kunyora ndangariro kuburikidza ne /dev/kmem. Mhedzisiro yakanyatsojeka yebasa rakadaro inogona kuva UEFI Chengetedza Boot kana kudzoreredza data rakavanzika rakachengetwa padanho re kernel.
Pakutanga, mabasa ekudzivirira midzi akagadziridzwa mumamiriro ekusimbisa kuchengetedzwa kwebhoti yakasimbiswa, uye kugovera kwave kushandisa yechitatu-bato zvigamba kuvharira kupfuura yeUEFI Yakachengeteka Boot kwenguva yakati rebei. Panguva imwecheteyo, zvirambidzo zvakadaro hazvina kubatanidzwa mukuumbwa kukuru kwe kernel nekuda kwe mukuita kwavo uye kutya kwekuvhiringidzwa kune maitiro aripo. Iyo "yekuvhara" module yakanyura zvigamba zvakatoshandiswa mukugovera, izvo zvakagadziridzwa muchimiro cheyakasarudzika subsystem isina kusungirirwa kuUEFI Yakachengeteka Boot.
Lockdown mode inorambidza kupinda ku/dev/mem,/dev/kmem,/dev/port,/proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Kadhi Ruzivo Rwakaita Kadhi), mamwe maACPI interfaces uye CPU. Marejista eMSR, kexec_file uye kexec_load mafoni akavharwa, modhi yekurara inorambidzwa, DMA kushandiswa kwePCI zvishandiso kunogumira, ACPI kodhi yekupinda kubva kuEFI zvinosiyana inorambidzwa,
Manipulations ane I/O ports haatenderwi, kusanganisira kuchinja nhamba yekukanganisa uye I/O port yeserial port.
Nekumisikidza, iyo yekuvhara module haisi kushanda, inovakwa kana iyo SECURITY_LOCKDOWN_LSM sarudzo yatsanangurwa mu kconfig uye inoshandiswa kuburikidza ne kernel parameter "lockdown =", iyo yekudzora faira "/ sys/kernel / chengetedzo / kukiya" kana sarudzo dzegungano. , iyo inogona kutora kukosha "kutendeseka" uye "kuvanzika". Muchiitiko chekutanga, maficha anobvumira shanduko kuti iitwe kune inomhanya kernel kubva munzvimbo yemushandisi yakavharwa, uye mune yechipiri kesi, mashandiro anogona kushandiswa kuburitsa ruzivo rwakadzama kubva kukernel zvakare akaremara.
Izvo zvakakosha kuti uzive kuti kuvharika kunongoganhura kusvika kwakajairwa kune kernel, asi hakudzivirire kubva pakugadziridzwa nekuda kwekushandiswa kwekusagadzikana. Kuvharisa shanduko kune inomhanya kernel kana maexploit achishandiswa neOpenwall purojekiti akasiyana module (Linux Kernel Runtime Guard).
Source: opennet.ru