Iphrojekthi ye-Openwall ukukhishwa kwemojula ye-kernel (I-Linux Kernel Runtime Guard), eqinisekisa ukutholwa kwezinguquko ezingagunyaziwe ku-kernel esebenzayo (ukuhlola ubuqotho) noma imizamo yokuguqula izimvume zezinqubo zomsebenzisi (ukuthola ukusetshenziswa kokuxhashazwa). Imojula ifanele kokubili ukuhlela ukuvikela ezenzweni ezaziwayo kakade ze-Linux kernel (isibonelo, ezimeni lapho kunzima khona ukubuyekeza i-kernel ohlelweni), kanye nokubala ukuxhashazwa ngobungozi obungaziwa okwamanje. Ungafunda mayelana nezici ze-LKRG ku .
Phakathi kwezinguquko zenguqulo entsha:
- Ikhodi yenziwe kabusha ukuze inikeze ukwesekwa kwezakhiwo ezihlukahlukene ze-CPU. Kwengezwe ukusekelwa kokuqala kwezakhiwo ze-ARM64;
- Ukuhambisana kuqinisekiswa nge-Linux kernels 5.1 kanye ne-5.2, kanye nezinhlamvu ezakhiwe ngaphandle kokufaka izinketho ze-CONFIG_DYNAMIC_DEBUG lapho wakha i-kernel,
I-CONFIG_ACPI ne-CONFIG_STACKTRACE, kanye nama-kernels akhiwe ngenketho ye-CONFIG_STATIC_USERMODEHELPER. Kwengezwe usekelo lokuhlola lwezinhlamvu ezivela kuphrojekthi ye-grsecurity; - I-logic yokuqalisa ishintshwe kakhulu;
- Isihloli sobuqotho sinikeze amandla kabusha i-self-hashing futhi salungisa isimo somjaho enjinini ye-Jump Label (*_JUMP_LABEL) ebangela ukuphela kwesikhathi lapho kuqaliswa ngesikhathi esifanayo njengokulayisha noma ukulayisha imicimbi yamanye amamojula.
- Ekhodini yokuthola inzuzo, i-sysctl lkrg.smep_panic entsha (ivuliwe ngokuzenzakalelayo) kanye ne-lkrg.umh_lock (ivaliwe ngokuzenzakalelayo) yengeziwe, ukuhlola okwengeziwe kwebhithi ye-SMEP/WP kungeziwe, ingqondo yokulandelela imisebenzi emisha ohlelweni. ishintshiwe, ingqondo yangaphakathi yokuvumelanisa nezisetshenziswa zomsebenzi iklanywe kabusha, kwengezwe ukusekelwa kwe-OverlayFS, kufakwe ohlwini olumhlophe lwe-Ubuntu Apport.
Source: opennet.ru