Openwall Project kernel module kuburitswa (Linux Kernel Runtime Guard), iyo inova nechokwadi chekuonekwa kwekuchinja kusingatenderwe kune inomhanya kernel (kutendeseka cheki) kana kuedza kushandura mvumo yevashandisi maitiro (kuona kushandiswa kwemaitiro). Iyo module inokodzera ese ari maviri kuronga dziviriro kubva kune yatove kuzivikanwa kushandiswa kweLinux kernel (somuenzaniso, mumamiriro ezvinhu apo zvakaoma kugadzirisa kernel muhurongwa), uye yekuverengera zvibodzwa kune izvo zvisati zvazivikanwa kusagadzikana. Iwe unogona kuverenga nezve maficha eLKRG mukati .
Pakati pekuchinja mushanduro itsva:
- Iyo kodhi yakagadziridzwa kuti ipe rutsigiro rweakasiyana eCPU zvivakwa. Yakawedzera rutsigiro rwekutanga rweArM64 architecture;
- Kuenderana kunovimbiswa neLinux kernels 5.1 uye 5.2, pamwe nemakernels akavakirwa pasina kusanganisira iyo CONFIG_DYNAMIC_DEBUG sarudzo pakuvaka kernel,
CONFIG_ACPI uye CONFIG_STACKTRACE, uye ine kernels yakavakwa neCONFIG_STATIC_USERMODEHELPER sarudzo. Yakawedzera tsigiro yekuyedza yekernels kubva kugrsecurity purojekiti; - Iyo yekutanga logic yakashandurwa zvakanyanya;
- Mucherechedzo wekuvimbika wakagonesazve kuzvi-hashing uye wakagadzirisa mamiriro emujaho muJump Label injini (*_JUMP_LABEL) iyo inokonzeresa kumisa kana ikatanga panguva imwe chete yekuremedza kana kuburitsa zviitiko zvemamwe ma module.
- Mune kodhi yekuona yekushandiswa, nyowani sysctl lkrg.smep_panic (on by default) uye lkrg.umh_lock (off by default) yawedzerwa, mamwe macheki eSMEP/WP bit akawedzerwa, pfungwa yekutevera mabasa matsva muhurongwa. yakashandurwa, iyo yemukati logic yekuwiriranisa neyebasa zviwanikwa yakagadziridzwa, yakawedzerwa rutsigiro rweOverlayFS, yakaiswa muUbuntu Apport whitelist.
Source: opennet.ru