Le phrojekthi I-Openwall isanda kumemezela ukukhishwa kwe-LKRG 0.9.4 kernel module (I-Linux Kernel Runtime Guard), eklanyelwe ukuthola futhi ivimbe ukuhlaselwa kanye nokwephulwa kobuqotho bezakhiwo ze-kernel.
I-LKRG ipakishwe njenge imojuli ye-kernel elayishekayo ezama ukuthola izinguquko ezingagunyaziwe ku-kernel esebenzayo (ukuhlola ubuqotho) noma izinguquko kuzimvume zezinqubo zomsebenzisi (ukutholwa kobungozi).
Ukuhlolwa kobuqotho kwenziwa ngokusekelwe ekuqhathanisweni kwama-hashes okubaliwe ezindawo zenkumbulo ezibaluleke kakhulu kanye nezinhlaka zedatha ye-kernel (IDT (Ithebula Lencazelo Yokuphazamisa), i-MSR, amatafula okushaya ucingo, zonke izinqubo nemisebenzi, izibambi eziphazamisayo, uhlu lwamamojula alayishiwe, okuqukethwe. yesigaba .sombhalo wamamojula, izibaluli zenqubo, njll.).
Inqubo yokuqinisekisa yenziwa isebenze ngezikhathi ezithile kusetshenziswa isibali sikhathi futhi uma izenzakalo ezihlukahlukene ze-kernel zenzeka (isibonelo, uma i-setuid, i-setreuid, imfoloko, iphuma, yenza, yenza_init_module, njll. izingcingo zesistimu zenziwa).
Mayelana ne-Linux Kernel Runtime Guard
Ukutholwa kokusetshenziswa okungenzeka kokuxhaphaza kanye nokuvinjwa kokuhlasela kwenziwa esigabeni ngaphambi kokuba i-kernel inikeze ukufinyelela kuzinsiza (isibonelo, ngaphambi kokuvula ifayela), kodwa ngemva kokuba inqubo inikezwe izimvume ezingagunyaziwe ( isibonelo, ukushintsha i-UID) .
Uma kutholwa ukuziphatha okungagunyaziwe kwezinqubo, zinqanyulwa ngenkani, okwanele ukuvimba ukuxhashazwa okuningi. Njengoba iphrojekthi isesigabeni sokuthuthukiswa futhi ukulungiswa akukenziwa, izindleko zokusebenza eziphelele ze-module cishe zi-6.5%, kodwa esikhathini esizayo kuhlelwe ukunciphisa kakhulu lesi sibalo.
Imodyuli kufanelekile kokubili ukuhlela ukuvikelwa ezenzweni esezaziwa kakade ye-Linux kernel mayelana nokuxhashazwa kobuthakathaka obungaziwa okwamanje, uma bengasebenzisi izinyathelo ezikhethekile zokugwema i-LKRG.
Ababhali abafaki ngaphandle ukuba khona kwamaphutha kukhodi ye-LKRG kanye nemibono engamanga engenzeka, ngakho-ke, abasebenzisi bayamenywa ukuthi baqhathanise izingozi zamaphutha okungenzeka ku-LKRG nezinzuzo zendlela yokuvikela ehlongozwayo.
Ezakhiweni ezinhle ze-LKRG, kuphawulwe ukuthi indlela yokuvikela yenziwe ngendlela yemodyuli elayishwayo, hhayi i-kernel patch, evumela ukuthi isetshenziswe ngezinhlamvu zokusabalalisa ezivamile.
Izici ezintsha eziyinhloko ze-LKRG 0.9.4
Kule nguqulo entsha yemojula eyethulwa, kugqanyiswe ukuthi ungeze usekelo lwesistimu yokuqalisa ye-OpenRC, kanye nokwengeza imiyalelo yokufaka usebenzisa I-DKMS.
Olunye ushintsho olugqamayo kule nguqulo entsha ukuthi inikeza ukuhambisana nama-LTS-kernels avela ku-Linux 5.15.40+.
Ngaphezu kwalokhu, kuphinde kuqokonyiswe ukuthi idizayini yokuphuma komlayezo kulogi iklanywe kabusha ukuze kube lula ukuhlaziya okuzenzakalelayo futhi kube lula ukuqonda ngesikhathi sokuhlaziya okwenziwa ngesandla nokuthi imilayezo ye-LKRG inezigaba zayo zamalogi, okwenza kube lula ukuyihlukanisa nayo. eminye imilayezo ye-kernel.
Ngakolunye uhlangothi, kushiwo futhi lokho kushintshwe igama lemojuli ye-kernel ukusuka ku-p_lkrg kuya ku-lkrg futhi? inguqulo endala ye-LKRG 0.9.3 isasebenza kuzinguqulo ezintsha ze-kernel (5.19-rc* kuze kube manje). Nokho, ekusebenzisaneni isikhathi eside ne-Kernel 5.15.40+, akunjalo izinguquko ezenziwe kunguqulo 0.9.4 kufanele zisetshenziswe.
Kushiwo futhi lokho ezinye izinguquko ziyacatshangelwa okuhlobene (kodwa mhlawumbe okuhlukile) ukuze kufakwe ku-LKRG ukuzivikela, isibonelo, ukucushwa kwayo kwesikhathi sokusebenza kusekhasini lememori eligcinwa lifundwa kuphela isikhathi esiningi, phakathi kokunye ukuthuthukiswa.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.
Ikakhulukazi, imojuli ihlolwe nge-RHEL kernel, OpenVZ/Virtuozzo kanye no-Ubuntu. Ngokuzayo kuzokwazi ukuhlela inqubo yokwakha ngokuhambisana kanambambili kokusatshalaliswa okuhlukahlukene okudumile.