Bafumene ukuba sesichengeni kumaqela e-v1 avumela ukuqhawuka kwisikhongozeli esisecaleni

Zimbalwa iintsuku ezidlulileyo zakhutshwa iindaba iinkcukacha ziye zatyhilwa ukuba sesichengeni oko kwafunyanwa ekuphunyezweni kwendlela ukunciphisa izixhobo amaqela v1 kwi-Linux kernel esele ifakwe kwikhathalogu phantsi kwe-CVE-2022-0492.

Oku buthathaka kufunyenwe se ingasetyenziselwa ukuphuma kwizikhongozeli ezizimeleyo kwaye icacisiwe ukuba ingxaki ikhona ukusukela kwiLinux kernel 2.6.24.

Kwiposti yeblogi kukhankanyiwe ukuba ukuba sesichengeni kungenxa yemposiso esengqiqweni kwirelease_yearhente yomphathi wefayile, ngoko ke uhlolo olufanelekileyo alwenziwanga xa umqhubi eqhutywa ngeemvume ezipheleleyo.

Ifayile release_agent isetyenziselwa ukuchaza inkqubo eyenziwa yikernel xa inkqubo iphela kwiqela. Le nkqubo iqhuba njengengcambu ngayo yonke "ubuchule" kwindawo yegama lengcambu. Kuphela ngumlawuli bekufanele ukuba abe nofikelelo kwi-release_agent configuration, kodwa eneneni, iitshekhi bezikhawulelwe ekunikeni ufikelelo kumsebenzisi weengcambu, nto leyo engazange ithintele ukutshintsha ubumbeko kwisikhongozeli okanye ngumsebenzisi weengcambu ongelolawulo (CAP_SYS_ADMIN) .

Ngaphambili, oluphawu ngekhe lubonwe njengobuthathaka, kodwa imeko itshintshile ngokufika kwezithuba zegama lomsebenzisi (izithuba zegama lomsebenzisi), ezikuvumela ukuba wenze abasebenzisi beengcambu abahlukeneyo kwizikhongozeli ezingadibaniyo nengcambu yomsebenzisi wendawo engundoqo.

Ngokuhambelana kuhlaselo, kwanele kwisikhongozeli esinomsebenzisi wayo oyingcambu kwindawo eyahlukileyo yomsebenzisi id ukuplaga kwirelease_agent yesibambi sakho, ethi, xa inkqubo igqityiwe, iyakuqhuba ngawo onke amalungelo okusingqongileyo komzali.

Ngokungagqibekanga, i-cgroupfs inyuswe kwisingxobo sokufunda-kuphela, kodwa akukho ngxaki yokunyusela kwakhona olu pseudofs kwindlela yokubhala ngamalungelo eCAP_SYS_ADMIN okanye ngokwenza isikhongozeli esinendlwane esinendawo yegama lomsebenzisi esahlukileyo usebenzisa inkqubo yokufowuna yokuyeka ukwabelana, apho CAP_SYS_ADMIN amalungelo. ziyafumaneka kwisikhongozeli esenziweyo.

Uhlaselo inokwenziwa ngokuba namalungelo engcambu kwisikhongozeli esisecaleni okanye ngokuqhuba isikhongozeli ngaphandle kwe no_new_privs iflegi, ethintela ukufumana amalungelo awongezelelweyo.

Isistim kufuneka ibe nenkxaso yezithuba zamagama zenziwe zisebenze umsebenzisi (okwenziwe ngokungagqibekanga ku-Ubuntu kunye ne-Fedora, kodwa ayenziwanga kwi-Debian kunye ne-RHEL) kwaye unofikelelo kwingcambu v1 yeqela (umzekelo, i-Docker iqhuba izikhongozeli kwiqela leengcambu ze-RDMA). Uhlaselo lunokwenzeka ngamalungelo e-CAP_SYS_ADMIN, apho inkxaso yeendawo zamagama abasebenzisi kunye nokufikelela kubume bengcambu yeqela v1 ayifunwa.

Ukongeza ekuqhaqhekeni kwisikhongozeli esisecaleni, ubungozi bukwavumela iinkqubo eziqalwe ngumsebenzisi wengcambu ngaphandle "kobuchule" okanye nawuphi na umsebenzisi onamalungelo eCAP_DAC_OVERRIDE (uhlaselo lufuna ukufikelela kwi /sys/fs/cgroup/*/release_agent ifayile root) ukufumana ufikelelo kuzo zonke "izakhono" zenkqubo.

Ngaphandle kwezikhongozeli, ubuthathaka bunokuvumela iinkqubo zokusingathwa kweengcambu ngaphandle kwesakhono, okanye iinkqubo zokusingathwa kweengcambu kunye ne-CAP_DAC_OVERRIDE isakhono, ukunyusa amalungelo kwizakhono ezipheleleyo. Oku kunokuvumela abahlaseli ukuba badlule umlinganiselo wokuqina osetyenziswa ziinkonzo ezithile, osusa ubunakho ngelinge lokunciphisa impembelelo ukuba kukho ulungelelwaniso.

Iyunithi 42 icebisa abasebenzisi ukuba baphucule ukuya kuguqulelo lwekernel esisigxina. Kwezo zikhongozeli ziqhuba, yenza i-Seccomp kwaye uqiniseke ukuba i-AppArmor okanye i-SELinux ivuliwe. Abasebenzisi bePrisma Cloud banokubhekisa kwicandelo elithi "Prisma Cloud Protection" ukuze babone ukuthomalalisa okubonelelwa yiPrisma Cloud.

Qaphela ukuba ubuthathaka abunakusetyenziswa xa usebenzisa i-Seccomp, i-AppArmor okanye iindlela zokhuseleko ze-SELinux zokwahlula isikhongozeli esongezelelweyo, njengoko i-Seccomp ivala i-unshare() inkqubo yokufowuna kunye ne-AppArmor kunye ne-SELinux azivumeli ukuba i-cgroupfs inyuswe kwindlela yokubhala.

Ekugqibeleni, kuyafaneleka ukukhankanya ukuba yayilungiswe kwiinguqulelo ze-kernel 5.16.12, 5.15.26, 5.10.97, 5.4.177, 4.19.229, 4.14.266 kunye ne-4.9.301. Ungalandela ukukhutshwa kohlaziyo lwephakheji kunikezelo kula maphepha: DebianUSUSEUbuntuRHELFedoraGentooArch Linux.

Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.