Linus Torvalds ibandakanywe kukhupho oluzayo lweLinux 5.4 kernel iseti yeepatches "", UDavid Howells (umnqwazi oBomvu) kunye noMatthew Garrett (, isebenza kuGoogle) ukunqanda ukufikelela komsebenzisi kwi-kernel. Umsebenzi onxulumene notshixo ubandakanyiwe kwimodyuli yeLSM ekhethiweyo (), ebeka umqobo phakathi kwe-UID 0 kunye ne-kernel, ukukhawulela umsebenzi othile ophantsi.
Ukuba umhlaseli ufezekisa ukuphunyezwa kwekhowudi ngamalungelo engcambu, unokuphumeza ikhowudi yakhe kwinqanaba le-kernel, umzekelo, ngokubuyisela i-kernel usebenzisa i-kexec okanye ukufunda / ukubhala imemori nge /dev/kmem. Esona siphumo sicacileyo somsebenzi onjalo sisenokuba UEFI Khusela Ukuqalisa okanye ukubuyisa idatha ebuthathaka egcinwe kwinqanaba le kernel.
Ekuqaleni, imisebenzi yothintelo lweengcambu yaphuhliswa kumxholo wokuqinisa ukhuseleko lwesiqalo esiqinisekisiweyo, kwaye unikezelo belusebenzisa iipetshi zomntu wesithathu ukuvala ukugqitha kwe-UEFI Secure Boot ixesha elide. Ngelo xesha, izithintelo ezinjalo azizange zibandakanywe ekubunjweni okuphambili kwe-kernel ngenxa ekuphunyezweni kwazo kunye noloyiko lokuphazamiseka kwiinkqubo ezikhoyo. Imodyuli "yokutshixa" ifunxa iipatches esele zisetyenzisiwe kunikezelo, eziye zayilwa ngokutsha ngohlobo lwesistim esezantsi engabotshelelwanga kwi-UEFI Secure Boot.
Indlela yokutshixa inqanda ukufikelela kwi/dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (uLwakhiwo loLwazi lweKhadi), ujongano oluthile lweACPI kunye neCPU Iirejista ze-MSR, i-kexec_file kunye neefowuni ze-kexec_load zivaliwe, imo yokulala ayivumelekanga, ukusetyenziswa kwe-DMA kwizixhobo ze-PCI kulinganiselwe, ukungeniswa kwekhowudi ye-ACPI ukusuka kwii-variables ze-EFI akuvumelekanga,
Ukukhohlisa nge-I/O kumazibuko akuvumelekanga, kuquka ukutshintsha inani lophazamiseko kunye ne-I/O port ye-serial port.
Ngokungagqibekanga, imodyuli yokutshixa ayisebenzi, yakhiwe xa SECURITY_LOCKDOWN_LSM ukhetho lucacisiwe kwi-kconfig kwaye luvulwe ngeparamitha yekernel “lockdown=”, ifayile yolawulo “/sys/kernel/security/lockdown” okanye iinketho zendibano. , engathatha amaxabiso "integrity" kunye "nobumfihlo". Kwimeko yokuqala, iimpawu ezivumela ukuba utshintsho lwenziwe kwi-kernel esebenzayo ukusuka kwindawo yomsebenzisi ivaliwe, kwaye kwimeko yesibini, ukusebenza okungasetyenziselwa ukukhupha ulwazi olubucayi kwi-kernel nayo ikhutshaziwe.
Kubalulekile ukuqaphela ukuba ukutshixa kuthintela kuphela ukufikelela okusemgangathweni kwi-kernel, kodwa akukhuseli ngokuchasene nohlengahlengiso ngenxa yokusetyenziswa kobuthathaka. Ukuvala utshintsho kwi-kernel esebenzayo xa i-exploits isetyenziswa yiprojekthi ye-Openwall imodyuli eyahlukileyo (Linux Kernel Runtime Guard).
umthombo: opennet.ru