Le projekthi IOpenwall isandula kubhengeza uphehlelelo lwe uguqulelo olutsha lwemodyuli yekernel "LKRG 0.9.2" (I-Linux Kernel Runtime Guard) eyenzelwe ukukhangela kunye nokuthintela ukuhlaselwa kunye nokuphulwa kwengqibelelo yezakhiwo zekernel.
I-LKRG ngoku ixhasa i-x86-64, x86 32-bit, AArch64 (ARM64), kunye ne-ARM 32-bit
Uyilo lweCPU.
Malunga neLKRG
Njengoko kukhankanyiwe imodyuli yeLKRG skwaye inoxanduva lokwenza uqwalaselo lwemfezeko kwixesha leLinux kernel kunye nokubona ubuthathaka bokhuseleko. iqhuma ngokuchasene nekernel. Ngokomzekelo, imodyuli inokukhusela kwiinguqu ezingagunyaziswanga kwi-kernel eqhubayo kwaye izama ukutshintsha iimvume zeenkqubo zabasebenzisi (ngokugqiba ukusetyenziswa kwe-exploits).
Imodyuli ifanelekile zombini ukulungiselela ukhuselo ngokuchasene nokuxhaphaza osele besaziwa ngobuthathaka kwiLinux kernel (umzekelo, kwiimeko apho kunzima ukuhlaziya ikernel kwinkqubo) kunye nokubala ukuxhaphaza kobuthathaka obungaziwa.
Kufuneka kuqondwe ukuba i-LKRG yimodyuli yekernel (hayi i patch kernel), ngoko ke inokudityaniswa kwaye ilayishwe kuluhlu olubanzi lweenkozo ezinkulu kunye nokuhanjiswa, ngaphandle kwesidingo sayo nayiphi na kuzo ukuba ifakwe.
Okwangoku, imodyuli ixhaswa kwiinguqulelo zekernel ukusuka kwi-RHEL7 (kunye neeclones zayo ezininzi / uhlaziyo) kunye no-Ubuntu 16.04 ukuya kumgca ophambili kunye nokusasazwa okungundoqo.
Iimpawu eziphambili ezintsha zeLKRG 0.9.2
Kolu guqulelo lutsha oluvezwayo, abaphuhlisi bakhankanya ukuba lUkuhambelana kuqinisekiswa nge-Linux kernels 5.14 ukuya kwi-5.16-rc, kunye nee-LTS kernels 5.4.118+, 4.19.191+ kunye ne-4.14.233+.
Ngexesha lokukhutshwa kwethu kwangaphambili, i-LKRG 0.9.1, i-Linux 5.12.x yayiyi- ingundoqo yokugqibela. Siye saba nethamsanqa ukuba iphinde yasebenza njengoko ikwi Linux 5.13.x nangaphezulu 5.10.x iicores ezintsha zexesha elide. Nangona kunjalo, ukusuka kwi-5.14, njenge kunye nothotho lwe-kernel lwexesha elide olu-3 oludweliswe kwi-changelog
Kwangoko, bekufuneka senze utshintsho ukuxhasa ezo nguqulelo zintsha zekernel.
Ngokuphathelele utshintsho olugqamayo kuguqulelo olutsha, kugxininiswe oko ukongeza inkxaso yokwahluka kweCONFIG_SECCMP useto, kunye nenkxaso yeparameter yekernel "nolkrg" ukuvala iLKRG ngexesha lokuqalisa.
Kwinxalenye yolungiso lwe-bug, kukhankanyiwe ukuba ukulungiswa okungeyonyani ngenxa yemeko yogqatso ngexesha le-SECOMP_FILTER_FLAG_TSYNC yokuqhuba, ukongeza koko inkxaso yoqwalaselo lweCONFIG_HAVE_STATIC_CALL kwi-Linux kernels 5.10+ nayo yalungiswa (iimeko zomdyarho ezilungisiweyo xa ukhuphela ezinye iimodyuli).
Ukongezelela, kuqinisekisiwe ukuba amagama eemodyuli ezivaliweyo xa usebenzisa i-lkrg.block_modules = i-1 setting igcinwa kwirejista.
Olunye utshintsho evelele kule nguqulo intsha:
- Kusetyenziswe ukubekwa kwe sysctl-seto kwifayile /etc/sysctl.d/01-lkrg.conf
- Ifayile yoqwalaselo eyongeziweyo ye-dkms.conf ye-DKMS (i-Dynamic Kernel Module Support) inkqubo, esetyenziselwa ukwenza iimodyuli zeqela lesithathu emva kohlaziyo lwe-kernel.
- Inkxaso ephuculweyo kunye nehlaziyiweyo yokwakhiwa kwe-debug kunye neenkqubo eziqhubekayo zokudibanisa.
Gqibela ukuba unomdla wokwazi ngakumbi Malunga neprojekthi, kufuneka wazi ukuba ikhowudi yeprojekthi isasazwa phantsi kwelayisensi ye-GPLv2.
Kwabo banomdla wokukwazi ukufaka le modyuli, kubalulekile ukukhankanya ukuba se ifuna ulawulo lolwakhiwo lwe-kernel ihambelana nomfanekiso we-Linux kernel apho umnqongo ozakuqhutywa khona. Umzekelo, kwi-Debian kunye ne-Ubuntu, unokusingatha iziseko zokwakha ezifunekayo ngokufaka i-linux-headers:
sudo apt-get install linux-headers-$(uname -r )
Kwimeko yokuhanjiswa, okufana ne-RHEL, i-Fedora okanye unikezelo olusekwe kwezi, (kunye ne-CentOS), iphakheji yokufaka yile ilandelayo:
sudo yum install kernel-devel
Ukuze ufunde ngakumbi ngayo ngokunjalo nemiyalelo yokuqulunqa ungajongana nolwazi Kule khonkco ilandelayo.