Wannan aikin Openwall kwanan nan ya ƙaddamar da ƙaddamar da sabon sigar kernel module "LKRG 0.9.2" (Linux Kernel Runtime Guard) wanda aka ƙera don ganowa da toshe hare-hare da keta mutuncin tsarin kwaya.
LKRG a halin yanzu yana goyan bayan x86-64, x86 32-bit, AArch64 (ARM64), da ARM 32-bit
CPU architectures.
Bayani na LKRG
Kamar yadda aka ambata LKRG module skuma shine ke da alhakin aiwatar da bincike na gaskiya a cikin lokacin aikin kernel na Linux da gano raunin tsaro. fashe a kan kwaya. Misali, tsarin zai iya karewa daga canje-canje mara izini ga kernel mai gudana da yunƙurin canza izini na hanyoyin mai amfani (ta hanyar tantance amfani da abubuwan amfani).
Tsarin ya dace duka don tsara kariya daga fa'idodin da aka riga aka sani a cikin kernel Linux (misali, a cikin yanayin da ke da wahala a sabunta kwaya akan tsarin) da kuma magance fa'idodin har yanzu raunin da ba a san su ba.
Ya kamata a fahimci cewa LKRG kernel module ne (ba facin kernel ba), don haka ana iya haɗa shi a loda shi a kan manyan nau'ikan kernels masu yawa da rarrabawa, ba tare da buƙatar kowane ɗayan su ba.
A halin yanzu, ƙirar tana da goyan baya ga nau'ikan kwaya daga RHEL7 (da yawancin clones / bita) da Ubuntu 16.04 zuwa sabon babban layi da rarrabawa.
Babban sabbin fasalulluka na LKRG 0.9.2
A cikin wannan sabon sigar da aka gabatar, masu haɓakawa sun ambaci cewa lAn tabbatar da dacewa tare da Linux kernels 5.14 zuwa 5.16-rc, Hakanan tare da kernels LTS 5.4.118+, 4.19.191+ da 4.14.233+.
A lokacin sakin mu na baya, LKRG 0.9.1, Linux 5.12.x shine jigon karshe. Mun yi sa'a cewa shima yayi aiki kamar yadda yake akan Linux 5.13.x da akan 5.10.x sababbi na dogon lokaci jerin muryoyin. Koyaya, kamar na 5.14, kamar yadda haka kuma na 3 tsofaffin jerin kernel na dogon lokaci da aka jera a cikin canjin
Tun da farko, dole ne mu yi canje-canje don tallafawa waɗannan sabbin nau'ikan kernel.
Game da sauye-sauyen da suka yi fice a cikin sabon sigar, an nuna cewa ƙarin tallafi don saitunan CONFIG_SECOMP daban-daban, da kuma goyan bayan sigar kernel "nolkrg" don kashe LKRG a lokacin taya.
Don ɓangaren gyare-gyaren kwaro, an ambaci cewa tabbataccen tabbataccen ƙarya saboda yanayin tsere yayin sarrafa SECOMP_FILTER_FLAG_TSYNC, baya ga goyan bayan tsarin CONFIG_HAVE_STATIC_CALL a cikin Linux kernels 5.10+ an kuma gyara shi (daidaitattun yanayin tsere lokacin zazzage wasu kayayyaki).
Bugu da ƙari, an ba da tabbacin cewa an adana sunayen ƙaƙƙarfan katange yayin amfani da lkrg.block_modules = saitin 1 a cikin wurin yin rajista.
Na sauran canje-canje wanda ya fice daga wannan sabon sigar:
- Aiwatar da sysctl-settings a cikin /etc/sysctl.d/01-lkrg.conf fayil
- An ƙara fayil ɗin sanyi na dkms.conf don tsarin DKMS (Taimakon Module Module na Kernel, wanda ake amfani da shi don ƙirƙirar samfuran ɓangare na uku bayan sabuntawar kwaya.
- Ingantattun tallafi da sabuntawa don gina ɓarna da ci gaba da tsarin haɗin kai.
Finalmente idan kuna sha'awar ƙarin sani Game da aikin, ya kamata ku san cewa an rarraba lambar aikin a ƙarƙashin lasisin GPLv2.
Ga masu sha'awar samun damar shigar da wannan tsarin, yana da mahimmanci a ambaci cewa se yana buƙatar tsarin ginin kernel daidai da hoton kernel na Linux wanda tsarin zai gudana. Misali, akan Debian da Ubuntu, zaku iya sarrafa abubuwan gina abubuwan da ake buƙata ta hanyar shigar da masu kai na Linux:
sudo apt-get install linux-headers-$(uname -r )
A cikin yanayin rarraba, kamar RHEL, Fedora ko rarraba bisa ga waɗannan, (har ma da CentOS), kunshin da za a shigar shine mai zuwa:
sudo yum install kernel-devel
Don ƙarin koyo game da shi haka kuma umarnin tattara bayanai na iya tuntuɓar bayanin A cikin mahaɗin mai zuwa.