Kullewa, sabon tallafi na kwayar Linux don iyakance damar samun tushen kwayar

Labarin kwanan nan ya bazu cewa Linus Torvalds ya ɗauki sabon abu, wanda za a haɗa shi a cikin wani nau'in kernel na "Linux 5.4" na gaba. wannan sabon bangaren yana da suna "Kullewa" wanda David Howells ya gabatar (wanda a baya ya aiwatar da wannan ɓangaren a cikin Red Hat Kernel) da kuma Matthew Garrett (mai haɓaka Google).

Babban aikin kullewa shine iyakance damar mai amfani da tushen zuwa kwayayen tsarin da wannan aikin an koma zuwa tsarin LSM a zabi tilas (Linux Security Module), wanda sanya shinge tsakanin UID 0 da kwaya, iyakance wasu ƙananan ayyuka.

Wannan yana ba da damar aikin kulle ya zama tushen siyasa maimakon sanya lamba mai ma'ana a cikin tsarin, don haka makullin da aka haɗa a cikin Module na Tsaro na Linux yana ba da aiwatarwa tare da manufa mai sauƙi da nufin amfani da shi gaba ɗaya. Wannan manufar tana ba da matakin daidaitawa ta hanyar layin umarnin kernel.

Wannan kariya ta samun damar zuwa Nucleus saboda gaskiyar cewa:

Idan wani mai kawo hari yayi nasarar aiwatar da lambar tare da gata sanadiyyar harin, zai iya aiwatar da lambar sa a matakin kernel, misali, maye gurbin kernel da kexec ko karatu da / ko rubutun ƙwaƙwalwa ta hanyar / dev / kmem.

Abinda yafi bayyane sakamakon wannan aikin shine iya tsallake Bootin Tsaro na UEFI ko dawo da bayanan sirri da aka adana a matakin kernel.

Da farko, an ƙaddamar da ayyukan ƙuntata tushen a cikin mahallin ƙarfafa tabbatar da kariya ta taya kuma rarrabawa sun kasance suna amfani da facin ɓangare na uku na dogon lokaci don toshe hanyar tsallake boot ta UEFI.

A lokaci guda, ba a haɗa irin waɗannan ƙuntatawa a cikin ainihin asalin asalin saboda sabani ba a aiwatar da shi da tsoron rushewar tsarin da ake da shi. "A'idar "kullewa" ta ƙunshi facin da aka riga anyi amfani dashi a cikin rarrabawa, waɗanda aka sarrafa su a cikin wani tsari na daban wanda ba shi da alaƙa da Iafaffen Moto na UEFI.

Lokacin da aka kunna, an taƙaita nau'ikan ayyukan kwaya. Don haka aikace-aikacen da suka dogara da ƙananan kayan aiki ko damar kernel na iya dakatar da aiki sakamakon, sabili da haka wannan bai kamata a kunna ba tare da kimantawa mai kyau ba tukunna. Linus Torvalds yayi sharhi.

A cikin yanayin kullewa, taƙaita samun dama zuwa / dev / mem, / dev / kmem, / dev / tashar jiragen ruwa, / proc / kcore, debugfs, debugfs, debugfs kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS (bayanan katin amintattu), wasu ACPI kuma an rufe rajistar CPU MSR, an rufe kexec_file da kexec_load kira, an hana yanayin bacci, amfani da DMA ga na'urorin PCI an iyakance, an hana shigo da lambar ACPI daga masu canji na EFI, an hana magudi tare da shigar da bayanai / fitarwa, gami da sauya lambar katsewa da shigar / tashar fitarwa don tashar jirgin ruwa ba ta da izinin.

Ta hanyar tsoho, tsarin makullin baya aiki; an kirkireshi ne lokacin da aka ayyana zaɓi na SECURITY_LOCKDOWN_LSM a cikin kconfig kuma ana kunna ta ta yanayin kernel "kulle =", fayil ɗin sarrafawa "/ sys / kernel / tsaro / kullewa" ko zaɓin tattara abubuwa LOCK_DOWN_KERNEL_FORCE_ *, wanda zai iya ɗaukar ƙimomin "mutunci" da "tsare sirri".

A farkon lamarin, - ayyukan da ke ba da izinin canje-canje ga kwaya daga sararin mai amfani suna kulle, kuma a yanayi na biyu, ban da wannan, aikin da za a iya amfani da shi don cire bayanan sirri daga kwaya an kashe.

Yana da mahimmanci a lura cewa kullewa yana iyakance damar samun kwaya ta yau da kullun, amma ba ta kariya daga gyare-gyare sakamakon amfani da rauni. Don toshe canje-canje ga kwaya mai aiki lokacin da aikin Openwall ya yi amfani da fa'idodi, ana ci gaba da sabon tsarin LKRG (Linux Kernel Runtime Guard).

Aikin kullewa yana da mahimman bayanai game da zane da tsokaci akan tsarin ƙasa da yawa. Wannan lambar ta kasance cikin Linux-gaba na foran makonni yanzu, tare da fixan gyaran da aka yi amfani da su a kan hanyar.