Andrey Konovalov, ya raba wata hanya ta nakasa kullewa

Andrew Konovalov Injiniyan Google, bayyana wata hanya don kawar da kariya daga nesa kullewa miƙa a cikin kernel na Linux wanda aka bayar a Ubuntu. Da wanne ya nuna cewa hanyoyin kariya ba su da tasiri, kuma ya kuma ambaci cewa hanyoyin da ya bayyana a ka'idar ya kamata suyi aiki tare da kwayar Fedora da sauran rarraba su kuma, (amma ba a gwada su ba).

Ga wadanda basu san kullewa ba, ya kamata su san cewa yana cikin kayan kwayar Linux wancan Babban aikinta shine iyakance damar mai amfani a cikin kwayar tsarin da wannan aikin an koma zuwa tsarin LSM a zabi tilas (Linux Security Module), wanda sanya shinge tsakanin UID 0 da kwaya, iyakance wasu ƙananan ayyuka.

Wannan yana ba da damar aikin kulle ya zama tushen siyasa maimakon sanya lamba mai ma'ana a cikin tsarin, don haka makullin da aka haɗa a cikin Module na Tsaro na Linux yana ba da aiwatarwa tare da manufa mai sauƙi da nufin amfani da shi gaba ɗaya. Wannan manufar tana ba da matakin daidaitawa ta hanyar layin umarnin kernel.

Game da kullewa

Kulle ya taƙaita samun tushen tushen kwaya kuma ya toshe hanyoyin wucewa na boot na UEFI.

Misali, a yanayin kulle, samun dama zuwa / dev / mem, / dev / kmem, / dev / tashar jiragen ruwa, / proc / kcore, debugfs, debug mode kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS, da sauransu, wasu maɓallan sune iyakance da rajistar ACPI da MSR na CPU.

Yayin da kexec_file da kiran kexec_load suke, an hana yanayin bacci, an hana amfani da DMA ga kayan aikin PCI, shigo da lambar ACPI daga masu canzawa na EFI an hana, kuma an hana magudi ta tashar shigar da bayanai / fitarwa, gami da sauya lambar katsewa da I / Ya tashar don tashar serial.

Kamar yadda wasu zasu iya sani, inji na an kara kullewa a cikin kwaya ta Linux ta 5.4, amma har yanzu ana aiwatar da shi ta hanyar faci ko ƙarin ta hanyar faci a kan ginshiƙin da aka bayar tare da rarrabawa.

Anan, ɗayan bambance-bambance tsakanin abubuwan da aka samar dasu a cikin rarrabawa da kuma aiwatar da kwaya shine ikon kashe makullin da aka bayar yayin samun damar jiki ga tsarin.

Ubuntu da Fedora suna amfani da maɓallin kewayawa Alt + SysRq + X don kashe makullin. An fahimci cewa haɗuwa Alt + SysRq + X ana iya amfani da shi kawai tare da samun damar zahiri zuwa na'urar kuma a yayin faruwar harin nesa da samun tushen, maharin ba zai iya kashe makullin ba.

Za a iya kashe kullewa daga nesa

Andrei Konovalov ya tabbatar da hakan hanyoyin da suka shafi keyboard don tabbatar da kasancewar mai amfani ba shi da tasiri.

Shi bayyana cewa hanya mafi sauki don musanya makullin shine a kwaikwayi latsa Alt + SysRq + X ta hanyar / dev / shigarwa, amma an fara katange wannan zaɓi.

Amma, aƙalla wasu hanyoyi biyu don sauyawa Alt + SysRq + X.

  • Hanya ta farko ta ƙunshi amfani da kewayawa sysrq-jawo: don yin kwaikwayo, kawai kunna wannan aikin ta buga "1" a ciki / proc / sys / kwaya / sysrq sannan buga "x" a ciki / proc / sysrq-jawo.
    An gyara wannan rata a cikin sabunta kwaron watan Ubuntu na Disamba kuma a Fedora 31. Abin lura ne cewa masu haɓaka, kamar yadda yake a yanayin / dev / shigarwa, da farko sun yi kokarin toshe wannan hanyar, amma toshewar ba ta yi aiki ba saboda bug a cikin lambar.
  • Hanya ta biyu ita ce ta yin kwaikwayon mabuɗin ta USB / IP sannan a aika da jerin Alt + SysRq + X daga mabuɗin kama-da-wane.
    A cikin kwaya, USB / IP da Ubuntu ke bayarwa ana kunna shi ta tsohuwa da kuma matakan usbip_core y vhci_hcd ana ba da buƙata tare da sa hannun dijital da ake buƙata.
    Wani mai kai hari na iya ƙirƙirar na'urar USB ta kamala ta hanyar sarrafa mai kula da cibiyar sadarwa a kan maɓallin kewayawa da haɗa shi azaman na'urar USB mai nisa ta amfani da USB / IP.

An ba da rahoton ƙayyadaddun hanyar ga masu haɓaka Ubuntu, amma ba a sake sakin bayani ba tukuna.

Source: https://github.com


Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.