Linus Torvalds e kenyellelitsoe tokollong e tlang ea Linux 5.4 kernel ke sete sa li-patches "« David Howells (Red Hat) le Matthew Garrett (, e sebetsa ho Google) ho thibela phihlello ea motso ho kernel. Ts'ebetso e amanang le Lockdown e kenyellelitsoe mojuleng oa LSM o kentsoeng ka boikhethelo (), e behang mokoallo pakeng tsa UID 0 le kernel, e thibelang ts'ebetso e itseng ea boemo bo tlaase.
Haeba mohlaseli a finyella ts'ebetso ea khoutu ka litokelo tsa metso, a ka phethahatsa khoutu ea hae boemong ba kernel, mohlala, ka ho fetola kernel ho sebelisa kexec kapa ho bala / ho ngola mohopolo ka /dev/kmem. Liphello tse hlakileng ka ho fetisisa tsa ts'ebetso e joalo e ka ba UEFI Sireletsehile Boot kapa ho khutlisa data ea bohlokoa e bolokiloeng boemong ba kernel.
Qalong, mesebetsi ea thibelo ea metso e ile ea ntlafatsoa molemong oa ho matlafatsa ts'ireletso ea boot e netefalitsoeng, 'me liphatlalatso li ntse li sebelisa li-patches tsa motho oa boraro ho thibela ho feta ha UEFI Secure Boot ka nako e telele. Ka nako e ts'oanang, lithibelo tse joalo li ne li sa kenyelletsoa sebopeho se seholo sa kernel ka lebaka la ts'ebetsong ea bona le tšabong ea ho sitisoa ke litsamaiso tse teng. Mojule oa "Lockdown" o kentse li-patches tse seng li ntse li sebelisoa kabong, tse ileng tsa hlophisoa bocha ka sebopeho sa sistimi e arohaneng e sa hokahaneng le UEFI Secure Boot.
Mokhoa oa Lockdown o thibela phihlello ho /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Sebopeho sa Boitsebiso ba Karete), li-interfaces tse ling tsa ACPI le CPU. Ngoliso ea MSR, kexec_file le mehala ea kexec_load e koetsoe, mokhoa oa ho robala o thibetsoe, tšebeliso ea DMA bakeng sa lisebelisoa tsa PCI e lekanyelitsoe, ho kenngoa ha khoutu ea ACPI ho tsoa ho mefuta ea EFI ho thibetsoe,
Ho qhekella ka likou tsa I/O ha ho lumelloe, ho kenyelletsa ho fetola nomoro ea tšitiso le boema-kepe ba I/O bakeng sa boema-kepe ba serial.
Ka nako e sa lekanyetsoang, mochine oa ho koala ha o sebetse, o hahiloe ha khetho ea SECURITY_LOCKDOWN_LSM e hlalositsoe ho kconfig mme e kenngoa ka kernel parameter "lockdown =", faele ea taolo "/sys/kernel/security/lockdown" kapa likhetho tsa kopano. , e ka nkang litekanyetso "botšepehi" le "ho boloka lekunutu". Boemong ba pele, likarolo tse lumellang hore ho etsoe liphetoho ho kernel e sebetsang ho tloha sebakeng sa mosebedisi li koetsoe, 'me tabeng ea bobeli, ts'ebetso e ka sebelisoang ho ntša tlhahisoleseding e tebileng ho tloha kernel e boetse e holofetse.
Ho bohlokoa ho hlokomela hore Lockdown e fokotsa feela phihlello e tloaelehileng ea kernel, empa ha e sireletse khahlano le liphetoho ka lebaka la tšebeliso ea bofokoli. Ho thibela liphetoho ho kernel e sebetsang ha ts'ebetso e sebelisoa ke morero oa Openwall mojule o arohaneng (Linux Kernel Runtime Guard).
Source: opennet.ru