Le projekthi I-Openwall ikhuphe ukukhutshwa kwemodyuli ye-LKRG 0.8 kernel (KwiLinux Kernel Runtime Guard), yenzelwe ukukhangela kunye nokuvimba uhlaselo y ukwaphula ukuthembeka kweziseko ezingundoqo.
Imodyuli Kufanelekile ukuba ulungiselele ukhuseleko ngokuchasene nezinto esele zaziwa yeLinux kernel (umzekelo, kwiimeko apho ukuhlaziywa kwekernel kwinkqubo kunengxaki), njengokuchasana nokuxhaphaza ngenxa yobuthathaka obungaziwayo.
Yintoni entsha ye-LKRG 0.8?
Kule nguqulo intsha ubume beprojekthi ye-LKRG butshintshiwe, kwintoniiyure yahlulwe yangamacandelwana ahlukeneyo Ukuqinisekisa ukuthembeka nokujonga ukusetyenziswa, kodwa iboniswa njengemveliso epheleleyo Ukuchonga uhlaselo kunye nolwaphulo oluthembekileyo;
Ngokumalunga nokuhambelana, kwale nguqulo intsha, Singafumanisa ukuba iyahambelana ne-Linux kernels ukusuka kwi-5.3 ukuya kwi-5.7, kunye neenkozo ezidityaniswe nolwazelelo olunamandla lwe-GCC, ngaphandle kokhetho CONFIG_USB kunye neCONFIG_STACKTRACE okanye ngokhetho CONFIG_UNWINDER_ORCKunye neenkozo apho kungekho misebenzi ichithiweyo yi-LKRG ukuba unokwenza ngaphandle.
Ukongeza kwifayile ye- Inkxaso yokulinga kumaqonga e-32-bit ARM (kuvavanywa iRaspberry Pi 3 Model B), ngelixa inkxaso ekhoyo ngaphambili yeAArch64 (ARM64) incediswa kukuhambelana neRaspberry Pi 4.
Ngakolunye uhlangothi, kuye kwongezwa amagwegwe amatsha, ezibandakanya "umlobothi ()" ophethe umnxeba ukuze abone ubuthathaka obuqhathwe "ngamakhono", endaweni yokwenza iinkqubo zokuchonga.
Kwiinkqubo ze-x86-64, isuntswana le-SMAP liyajongwa kwaye lisetyenziswe (Uthintelo lokufikelela kwimowudi yesuphavayiza), dyenzelwe ukuthintela ukufikelela kwidatha kwindawo yomsebenzisi ukusuka kwikhowudi enelungelo eyenziwe kwinqanaba le-kernel. Ukukhuselwa kwe-SMEP (Supervisor Mode Execution Prevention) kwenziwa kwangaphambili.
Ibeyi ukwanda kokungazinzi kwenkqubo yokulandela umkhondo wenkqubo: endaweni yomthi omnye we-RB okhuselwe yi-spinlock, itafile ye-hash yemithi eyi-512 RB iyabandakanyeka, ikhuselwe ngama-512 okufunda nokubhala izitshixo, ngokwahlukeneyo;
Imowudi emiselweyo iyenziwa kwaye yenziwe isebenze, apho ku ukujonga ukuthembeka kwezazisi Ukuqhubekeka kuhlala kwenziwa kuphela kulomsebenzi wangoku, kunye nokukhetha kwimisebenzi eyenziweyo (vuka). Kweminye imisebenzi ekwimeko enqunyanyisiweyo okanye esebenza ngaphandle komnxeba we-kernel API olawulwa yi-LKRG, ukuqinisekiswa kwenziwa kancinci rhoqo.
Ukongeza kwifayile ye- Inkqubo yeyunithi yenkqubo yenziwe ngokutsha ukulayisha imodyuli ye-LKRG kwinqanaba lokuqala lokulayisha (ukhetho lomyalelo wekernel lungasetyenziselwa ukukhubaza imodyuli);
Ngexesha lokudityaniswa, ezinye zezinto ezinyanzelekileyo ze-CONFIG_ * useto lwekernel lukhangelwe ukuvelisa imiyalezo enemposiso enentsingiselo endaweni yokufihla iimpazamo.
Olunye utshintsho olwahlukileyo kule nguqulo intsha:
- Yongezwe inkxaso ye-Standby (ACPI S3, Suspend to RAM) kunye nokumisa (S4, Ukumisa kwiDisk) iindlela.
- Yongeze inkxaso ye-DKMS kwifayile yefayile.
- Ingqondo entsha iyacetyiswa ukumisela iinzame zokuphuma kwizithintelo zesithuba (umzekelo, kwizikhongozeli zeDocker).
- Kwinkqubo, ubumbeko lwe-LKRG lubekwe kwiphepha lememori, ihlala ifundwa kuphela.
- Iziphumo kwimigca yolwazi enokuba luncedo kakhulu kuhlaselo (umzekelo, ulwazi lwedilesi kwi-kernel) lilinganiselwe yimowudi yokulungisa (log_level = 4 nangaphezulu), ekhubazeke ngokungagqibekanga.
- I-sysctl entsha kunye neeparameter zemodyuli zongezwa kwi-LKRG, kunye nee-sysctl ezimbini zoqwalaselo olwenziwe lula ngokukhetha kwiiprofayili ezilungiselelwe ngabaphuhlisi.
- Useto olungagqibekanga luyatshintshwa ukufezekisa ulungelelwaniso olulinganiselweyo phakathi kwesantya sokuphula umthetho kunye nokusebenza kwempendulo, kwelinye icala, kunye nefuthe kwimveliso kunye nomngcipheko weemposiso ezingezizo kwelinye.
- Ngokwenkqubo ecetywayo kwinguqulelo entsha, ukwehla kokusebenza xa kusetyenziswa i-LKRG 0.8 kuqikelelwa kwi-2.5% kwimowudi emiselweyo ("enzima") kunye ne-2% kwimodi yokukhanya ("ukukhanya").
Ukuba ufuna ukwazi ngakumbi ngayo, unokuthetha iinkcukacha apha.