Iprojekthi ye-Openwall
Phakathi kotshintsho kwinguqulelo entsha:
- Ukubekwa kweprojekthi ye-LKRG itshintshiwe, engasahlulwanga kwiinkqubo ezingaphantsi ezahlukeneyo zokukhangela ingqibelelo kunye nokumisela ukusetyenziswa kwemisebenzi, kodwa iboniswe njengemveliso epheleleyo yokuchonga ukuhlaselwa kunye nokuphulwa kwemfezeko eyahlukeneyo;
- Ukuhambelana kunikezelwa ngeenkozo ze Linux ukusuka kwi 5.3 ukuya ku 5.7, kunye neenkozo ezidityaniswe noburhabaxa be GCC, ngaphandle kwe CONFIG_USB kunye CONFIG_STACKTRACE iinketho okanye ngokhetho lweCONFIG_UNWINDER_ORC, kunye neenkozo ezingenalo imisebenzi yeLKRG kukhutshwa;
- Xa kusakhiwa, ezinye iisetingi ezisisinyanzelo ze-CONFIG_* ziyajongwa ukuvelisa imiyalezo yemposiso enentsingiselo endaweni yokungqubana okufihlakeleyo;
- Inkxaso eyongeziweyo yokulinda (i-ACPI S3, ukumisa kwi-RAM) kunye nokulala (i-S4, ukumisa kwi-disk) iindlela;
- Inkxaso eyongeziweyo ye-DKMS kwi-Makefile;
- Inkxaso yovavanyo ye-32-bit ye-ARM yamaqonga iphunyeziwe (ivavanywe kwi-Raspberry Pi 3 Model B). Inkxaso yangaphambili ye-AArch64 (ARM64) iye yandiswa ukuze ibonelele ngokuhambelana nebhodi yeRaspberry Pi 4;
- Kongezwe amagwegwe amatsha, kubandakanywa umntu okwaziyo () ukufowuna ukuchonga ngcono izinto ezixhaphazayo "
Amandla ", hayi inkqubo ye-ID (iinkcukacha ); - Ingqiqo entsha iye yacetywa ukuze kufunyanwe iinzame zokubaleka izithintelo zesithuba samagama (umzekelo, kwizikhongozeli zeDocker);
- Kwiinkqubo ze-x86-64, i-SMAP (i-Supervisor Mode Access Prevention) bit ihlolwe kwaye isetyenziswe, yenzelwe ukuvala ukufikelela kwidatha yendawo yomsebenzisi kwikhowudi enelungelo elisebenzayo kwinqanaba le-kernel. Ukhuseleko lwe-SMEP (uThintelo lokuSebenza loMphathi) lwaphunyezwa ngaphambili;
- Ngexesha lokusebenza, izicwangciso zeLKRG zibekwe kwiphepha lememori eliqhele ukufunda kuphela;
- Ulwazi lokungena olunokuba luncedo kakhulu kuhlaselo (umzekelo, ulwazi malunga needilesi ezikwi-kernel) lulinganiselwe kwindlela yokulungiswa kweempazamo (log_level=4 nangaphezulu), evalwe ngokuzenzekelayo.
- I-scalability ye-database yokulandelela inkqubo iye yandisiwe - endaweni yomthi omnye we-RB okhuselwe nge-spinlock enye, itafile ye-hash ye-512 yemithi ye-RB ekhuselwe yi-512 yokufunda ukubhala i-lock isetyenziswa;
- Imowudi iphunyeziwe kwaye yenziwe ngokungagqibekanga, apho ingqibelelo yabachongi benkqubo isoloko ikhangelwa kuphela umsebenzi wangoku, kunye nokuzikhethela kwimisebenzi esebenzayo (yokuvuka). Kweminye imisebenzi ekwimeko yokulala okanye esebenza ngaphandle kokufikelela kwi-kernel API elawulwa yi-LKRG, isheke lenziwa ngaphantsi rhoqo.
- Iparameters entsha ye-sysctl kunye nemodyuli yokulungiswa kakuhle kweLKRG, kunye ne-sysctl ezimbini zoqwalaselo olulula ngokukhetha kwiiseti zolungiso olucokisekileyo (iiprofayile) ezilungiselelwe ngabaphuhlisi;
- Izicwangciso ezingagqibekanga zitshintshiwe ukuphumeza ukulinganisela okulinganayo phakathi kwesantya sokubona ukuphulwa kunye nokusebenza kwempendulo, kwelinye icala, kunye nefuthe ekusebenzeni kunye nomngcipheko wobuxoki obubuxoki, kwelinye;
- Ifayile yeyunithi ye-systemd yenziwe ngokutsha ukuze ilayishe imodyuli yeLKRG kwangethuba kwisiqalo (ukhetho lwelayini yomyalelo wekernel ingasetyenziselwa ukukhubaza umnqongo);
Ukuqwalasela ukulungiswa okucetywayo ekukhutshweni okutsha, ukunciphisa ukusebenza xa usebenzisa i-LKRG 0.8 kuqikelelwa kwi-2.5% kwimodi engagqibekanga ("inzima") kunye ne-2% kwimodi yokukhanya ("ukukhanya").
Kutsha nje
Ukongeza, kunokuqatshelwa ukuba umphuhlisi wokusabalalisa
Ukutshekisha ukunyaniseka kwi-LKRG kwenziwa ngokuthelekisa ikhowudi yangempela kunye nedatha ye-kernel kunye neemodyuli, ezinye izakhiwo zedatha ezibalulekileyo kunye nezicwangciso ze-CPU ezineehashe ezigciniweyo okanye iikopi zeendawo zememori ezihambelanayo, izakhiwo zedatha okanye iirejista. Iitshekhi zivulwa ngamaxesha athile ngesibali-xesha kunye nokwenzeka kweziganeko ezahlukeneyo.
Ukumisela ukusetyenziswa okunokwenzeka kokuxhaphaza kunye nokuhlaselwa kokuthintela kuqhutyelwa kwinqanaba ngaphambi kokuba i-kernel inikeze ukufikelela kwizibonelelo (umzekelo, ngaphambi kokuvula ifayile), kodwa emva kokuba inkqubo ifumene iimvume ezingagunyaziswanga (umzekelo, ukutshintsha i-UID). Xa ukuziphatha okungagunyaziswanga kufunyenwe, iinkqubo zinyanzeliswa ukuba zipheliswe ngokungagqibekanga, okwaneleyo ukuvimba ezininzi zokuxhaphaza.
umthombo: opennet.ru