Lockdown, iyo nyowani yekugamuchirwa kweLinux kernel kudzora midzi kupinda kune kernel

Nhau dzichangobva kuputsa izvo Linus Torvalds yakagamuchira chinhu chitsva, icho chinosanganisirwa mune yemberi vhezheni ye "Linux 5.4" kernel. chinhu chitsva ichi chine zita "Lockdown" iyo yakataurwa naDavid Howells (uyo akamboshandisa chikamu ichi muRed Hat Kernel) naMateu Garrett (Google anovandudza).

Basa guru rekukiya kukoshesesa kuwana kweiye mushandisi musisitimu kernel uye kuita uku yakaendeswa kune module yeLSM sarudzo yakatakurwa (Linux Security Module), iyo inogadzira chipingamupinyi pakati peUID 0 nekernel, kudzikamisa mamwe mabasa epasi-chikamu.

Izvi zvinobvumira iro rekuvharira basa kuve-rakavakirwa-pane pane kuomesa-coding iyo yakajeka mutemo mukati meiyo mashandiro, saka iro rakakiiwa rakabatanidzwa muLinux Security Module inopa kumisikidzwa neyakareruka mutemo yakagadzirirwa kushandiswa kwese. Iyi bumbiro inopa huwandu hwenzvimbo inodzora kuburikidza nekernel yekuraira mutsara.

Uku kudzivirirwa kwekuwana kuNucleus kuri nekuda kwekuti:

Kana anorwisa akabudirira kuita kodhi nemidzi yekuremekedza nekuda kwekurwiswa, anogona zvakare kuitisa kodhi yake padanho rekernel, semuenzaniso, kutsiva kernel nekexec kana kuverenga uye / kana kunyora ndangariro kuburikidza / dev / kmem.

Mhedzisiro iri pachena yechiitiko ichi inogona kunge ichipfuura UEFI Yakachengeteka Boot kana kudzoreredza zvakavanzika data zvakachengetwa padanho rekernel.

Pakutanga, midzi yekudzivirira mabasa yakagadziriswa mune yekusimbisa yakasimbiswa bhuti dziviriro uye kugovera kwagara kwenguva refu vachishandisa chechitatu-bato zvigamba kuvharisa UEFI yakachengeteka bhutsu yekudarika.

Panguva imwecheteyo, zvipingamupinyi zvakadaro hazvina kuverengerwa mukuumbwa kwemusoro nekuda kwekusawirirana mukuitwa kwayo uye kutya kwekuvhiringidzwa kwemaitiro aripo. Iyo "yekuvhara" module inosanganisa zvigamba zvakatoshandiswa mukugovera, izvo zvakagadziriswa muchimiro cheyakasiyana subsystem iyo isina kusungirirwa kuEFI Yakachengeteka Boot.

Kana ikabvumidzwa, zvidimbu zvakasiyana zvekernel mashandiro zvinorambidzwa. Saka mashandiro anovimba neepasi-chikamu Hardware kana kernel kuwana inogona kumira kushanda semhedzisiro, saka izvi hazvifanirwe kupihwa simba pasina kukodzera kuongororwa zvisati zvaitika. Linus Torvalds akataura.

Mune lockdown mode, chengetedza kupinda ku / dev / mem, / dev / kmem, / dev / port, / proc / kcore, debugfs, debugfs, debugfs kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS (ruzivo rwekadhi rwakachengeteka), imwe ACPI uye CPU MSR marejista, kexec_file uye kexec_load mafoni akavharidzirwa, yekurara nzira inorambidzwa, kushandiswa kweDMA kumidziyo yePCI kunogumira, kuunzwa kweACPI kodhi kubva kuEFI misiyano inorambidzwa, manomano ane chiteshi chekupinza / kubuda, kusanganisira shanduko yenhamba yekukanganisa uye yekuisa / kuburitsa chiteshi che serial port hazvibvumirwe.

Nekukanganisa, iyo module yekuvhara haina kushanda; inogadzirwa apo iyo SECURITY_LOCKDOWN_LSM sarudzo yakatsanangurwa mu kconfig uye inogoneswa nekernel paramende "lockdown =", iyo faira rekudzora "/ sys / kernel / security / lockdown" kana sarudzo dzekuunganidza LOCK_DOWN_KERNEL_FORCE_ *, iyo inogona kutora kukosha kwe "kuvimbika" uye "zvakavanzika".

Muchiitiko chekutanga, mabasa anotendera shanduko kune kernel inoshanda kubva kunzvimbo yemushandisi yakavharwa, uye mune yechipiri kesi, kuwedzera kune izvi, mashandiro ayo anogona kushandiswa kutora zvakavanzika ruzivo kubva kune kernel akaremara.

Izvo zvakakosha kuti uzive kuti kuvhara chete kunogumira iyo yenguva dzose kernel yekugona kugona, asi haina kudzivirira kubva kuchinjika nekuda kwekushandisa kusagadzikana. Kuvhara shanduko kune kernel inoshanda apo Openwall chirongwa chinoshandisa zviitwa, rakaparadzana LKRG (Linux Kernel Runtime Guard) module iri kuvandudzwa.

Iko kukiya basa rakange riine akakosha dhizaini ongororo uye makomendi pane akawanda masisitimu Iyi kodhi yanga iri muLinux-inotevera kwemavhiki mashoma ikozvino, paine zvigadziriso zvishoma zvinoshandiswa munzira.