ULinus Torvalds kufakwe ekukhishweni okuzayo kwe-Linux 5.4 kernel isethi yama-patches "", UDavid Howells (Isigqoko Esibomvu) no-Matthew Garrett (, isebenza kwa-Google) ukukhawulela ukufinyelela komsebenzisi wezimpande ku-kernel. Ukusebenza okuhlobene ne-Lockdown kufakwe kumojula ye-LSM elayishwe ngokuzithandela (), okubeka umgoqo phakathi kwe-UID 0 ne-kernel, ekhawulela ukusebenza okuthile kwezinga eliphansi.
Uma umhlaseli ezuza ukukhishwa kwekhodi ngamalungelo ezimpande, angakwazi ukusebenzisa ikhodi yakhe ezingeni le-kernel, isibonelo, ngokushintsha i-kernel esebenzisa i-kexec noma inkumbulo yokufunda/yokubhala nge-/dev/kmem. Umphumela osobala kakhulu womsebenzi onjalo ungaba I-UEFI Secure Boot noma ukubuyisa idatha ebucayi egcinwe ezingeni le-kernel.
Ekuqaleni, imisebenzi yokuvinjelwa kwezimpande yathuthukiswa kumongo wokuqinisa ukuvikeleka kwe-boot eqinisekisiwe, futhi ukusabalalisa bekusebenzisa ama-patches ezinkampani zangaphandle ukuvimba ukudlula i-UEFI Secure Boot isikhathi eside. Ngesikhathi esifanayo, imingcele enjalo ayizange ifakwe ekubunjweni okuyinhloko kwe-kernel ngenxa ekusebenziseni kwabo kanye nokwesaba ukuphazamiseka kwezinhlelo ezikhona. Imojula “yokukhiya” imunce amapeshi asevele asetshenziswa ekusabalaliseni, aphinde aklanywa ngendlela yesistimu engaphansi ehlukile engaboshiwe ku-UEFI Secure Boot.
Imodi yokukhiya ikhawulela ukufinyelela ku-/dev/mem, /dev/kmem, /dev/port,/proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Isakhiwo Solwazi Lwekhadi), ezinye izixhumi ezibonakalayo ze-ACPI kanye ne-CPU Amarejista e-MSR, izingcingo ze-kexec_file kanye ne-kexec_load zivaliwe, imodi yokulala ayivunyelwe, ukusetshenziswa kwe-DMA kumadivayisi we-PCI kunqunyelwe, ukungenisa ikhodi ye-ACPI kusuka kokuguquguqukayo kwe-EFI akuvunyelwe,
Ukukhohlisa ngezimbobo ze-I/O akuvunyelwe, okuhlanganisa ukushintsha inombolo yokuphazamiseka kanye nembobo ye-I/O yembobo ye-serial.
Ngokuzenzakalelayo, imojuli yokukhiya ayisebenzi, yakhiwa lapho inketho ye-SECURITY_LOCKDOWN_LSM icaciswa ku-kconfig futhi yenziwa isebenze ngepharamitha ye-kernel “lockdown=”, ifayela lokulawula “/sys/kernel/security/lockdown” noma izinketho zomhlangano. , engathatha amanani "ubuqotho" kanye "nobumfihlo". Esimweni sokuqala, izici ezivumela ukuthi izinguquko zenziwe ku-kernel egijima endaweni yomsebenzisi zivinjelwe, futhi esimweni sesibili, ukusebenza okungasetshenziswa ukukhipha ulwazi olubucayi ku-kernel nakho kukhutshaziwe.
Kubalulekile ukuqaphela ukuthi ukukhiya kunciphisa ukufinyelela okujwayelekile kuphela ku-kernel, kodwa akuvikeli ekulungisweni ngenxa yokuxhashazwa kobuthakathaka. Ukuvimba izinguquko ku-kernel esebenzayo lapho ukuxhashazwa kusetshenziswa iphrojekthi ye-Openwall module ehlukene (I-Linux Kernel Runtime Guard).
Source: opennet.ru