Muva nje kuvele izindaba lokho ikhombe ubungozi obusha (sekuvele kuhlu ngaphansi kwe-CVE-2021-4204) ohlelweni olungaphansi lwe-eBPF (ngoshintsho) ...
Futhi kungenxa yokuthi i-subsystem ye-eBPF ayikayeki ukuba yinkinga enkulu yezokuphepha ye-Kernel ngoba kalula kulokho obekukhona konke ngo-2021 ubungozi obubili bembulwa ngenyanga futhi esikhuluma ngayo ngezinye zazo lapha kubhulogi.
Mayelana nemininingwane yenkinga ekhona, kushiwo lokho Ukuba sengozini okutholiwe kuvumela umshayeli ukuthi asebenze ngaphakathi kwe-Linux kernel emshinini we-virtual okhethekile we-JIT nokuthi lokhu kuvumela umsebenzisi wasendaweni ongenalo ilungelo ukuthi athole ukukhushulwa kwamalungelo futhi akhiphe ikhodi yakhe ezingeni le-kernel.
Encazelweni yenkinga, basho lokho ukuba sengozini kungenxa yokuskena okungalungile kwezinhlelo ze-eBPF ezidluliselwe ukwenziwa, njengoba uhlelo olungaphansi lwe-eBPF luhlinzeka ngemisebenzi eyisizayo, ukulunga kwayo okuqinisekiswa isiqinisekisi esikhethekile.
Lokhu kuba sengozini kuvumela abahlaseli bendawo ukuthi bakhulise amalungelo
ukufakwa kwe-Linux kernel. Umhlaseli kumele aqale athole
amandla okusebenzisa ikhodi yamalungelo aphansi kusistimu eqondiwe ukuze
sebenzisa lobu buthakathaka.Iphutha elithile likhona ekuphathweni kwezinhlelo ze-eBPF. Umbuzo imiphumela yokuntuleka kokuqinisekiswa okufanele kwezinhlelo ze-eBPF ezihlinzekwe ngabasebenzisi ngaphambi kokuwaqhuba.
Ngaphandle kwalokho, eminye yemisebenzi idinga inani le-PTR_TO_MEM ukuthi liphasiswe njengokuphikisana futhi isiqinisekisi kufanele sazi usayizi wememori ohlotshaniswa ne-agumenti ukuze kugwenywe izinkinga zokuchichima kwebhafa ezingaba khona.
Ngenkathi kusemisebenzini bpf_ringbuf_submit futhi bpf_ringbuf_discard, idatha yosayizi wenkumbulo edlulisiwe ayibikwa kumqinisekisi (yilapho inkinga iqala khona), umhlaseli asebenzisa ithuba lokuthi akwazi ukubhala phezu kwezindawo zememori ezingaphandle komkhawulo webhafa lapho esebenzisa ikhodi ye-eBPF eklanywe ngokukhethekile.
Umhlaseli angasebenzisa lobu bungozi khuphula amalungelo futhi wenze ikhodi kumongo we-kernel. SICELA UQAPHELE ukuthi i-bpf engavunyelwe ivaliwe ngokuzenzakalelayo ekusabalaliseni okuningi.
Kuyashiwo ukuthi ukuze umsebenzisi enze ukuhlasela, umsebenzisi kumele akwazi ukulayisha uhlelo lwakhe lwe-BPF kanye nokusatshalaliswa kweLinux kwakamuva kuyaluvimba ngokuzenzakalelayo (okuhlanganisa nokufinyelela okungenalungelo ku-eBPF manje sekwenqatshelwe ngokuzenzakalelayo ku-kernel ngokwayo, kusukela kunguqulo 5.16).
Isibonelo, kukhulunywa ukuthi ubungozi ingasetshenziswa ekucushweni okuzenzakalelayo ku ukusatshalaliswa okusasetshenziswa futhi ngaphezu kwakho konke okuthandwa kakhulu njengoba kunje Ubuntu 20.04 LTS, kodwa ezindaweni ezifana ne-Ubuntu 22.04-dev, i-Debian 11, i-openSUSE 15.3, i-RHEL 8.5, i-SUSE 15-SP4 ne-Fedora 33, ibonakala kuphela uma umlawuli esethe ipharamitha. kernel.unprivileged_bpf_disabled to 0.
Njengamanje, njengendlela yokusebenzela ukuvimba ukuba sengozini, kukhulunywa ukuthi abasebenzisi abangenamalungelo bangavinjelwa ekusebenziseni izinhlelo ze-BPF ngokusebenzisa umyalo endaweni yokugcina:
sysctl -w kernel.unprivileged_bpf_disabled=1
Ekugcineni, kufanele kushiwo lokho inkinga ivele kusukela ku-Linux kernel 5.8 futhi ihlala ingafakiwe (kufaka phakathi inguqulo 5.16) futhi yingakho ikhodi yokuxhaphaza izobambezeleka izinsuku eziyi-7 Futhi izoshicilelwa ngo-12:00 UTC, okungukuthi, ngoJanuwari 18, 2022.
Ngayo Kuhloswe ukuba kuvumele isikhathi esanele sokuthi iziqephu zokulungisa zenziwe zitholakale yabasebenzisi bezabelo ezihlukene ze-Linux ngaphakathi kweziteshi ezisemthethweni zalokhu ngakunye futhi bobabili abathuthukisi nabasebenzisi bangalungisa ubungozi oshiwo.
Kulabo abathanda ukwazi ngesimo sokwakhiwa kwezibuyekezo ngokususwa kwenkinga kokunye ukusatshalaliswa okuyinhloko, kufanele bazi ukuthi bangalandelelwa kusuka kulawa makhasi: Debian, RHEL, SUSE, Fedora, Ubuntu, I-Arch.
Uma unjalo unentshisekelo yokwazi okwengeziwe ngayo mayelana nombhalo, ungabheka isitatimende sokuqala Kulesi sixhumanisi esilandelayo.