Linus Torvalds
Ukuba umhlaseli ufezekisa ukuphunyezwa kwekhowudi ngamalungelo engcambu, unokuphumeza ikhowudi yakhe kwinqanaba le-kernel, umzekelo, ngokubuyisela i-kernel usebenzisa i-kexec okanye ukufunda / ukubhala imemori nge /dev/kmem. Esona siphumo sicacileyo somsebenzi onjalo sisenokuba
Ekuqaleni, imisebenzi yothintelo lweengcambu yaphuhliswa kumxholo wokuqinisa ukhuseleko lwesiqalo esiqinisekisiweyo, kwaye unikezelo belusebenzisa iipetshi zomntu wesithathu ukuvala ukugqitha kwe-UEFI Secure Boot ixesha elide. Ngelo xesha, izithintelo ezinjalo azizange zibandakanywe ekubunjweni okuphambili kwe-kernel ngenxa
Indlela yokutshixa inqanda ukufikelela kwi/dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (uLwakhiwo loLwazi lweKhadi), ujongano oluthile lweACPI kunye neCPU Iirejista ze-MSR, i-kexec_file kunye neefowuni ze-kexec_load zivaliwe, imo yokulala ayivumelekanga, ukusetyenziswa kwe-DMA kwizixhobo ze-PCI kulinganiselwe, ukungeniswa kwekhowudi ye-ACPI ukusuka kwii-variables ze-EFI akuvumelekanga,
Ukukhohlisa nge-I/O kumazibuko akuvumelekanga, kuquka ukutshintsha inani lophazamiseko kunye ne-I/O port ye-serial port.
Ngokungagqibekanga, imodyuli yokutshixa ayisebenzi, yakhiwe xa SECURITY_LOCKDOWN_LSM ukhetho lucacisiwe kwi-kconfig kwaye luvulwe ngeparamitha yekernel “lockdown=”, ifayile yolawulo “/sys/kernel/security/lockdown” okanye iinketho zendibano.
Kubalulekile ukuqaphela ukuba ukutshixa kuthintela kuphela ukufikelela okusemgangathweni kwi-kernel, kodwa akukhuseli ngokuchasene nohlengahlengiso ngenxa yokusetyenziswa kobuthathaka. Ukuvala utshintsho kwi-kernel esebenzayo xa i-exploits isetyenziswa yiprojekthi ye-Openwall
umthombo: opennet.ru