Andrei Konovalov Google software injinjini, yakafumura nzira yekubvisa kure kudzivirirwa kubva lockdown inopihwa muLinux kernel inopihwa muUbuntu. Izvo inoratidza kuti nzira dzekudzivirira hadzishandi, uyezve akataura zvakare kuti nzira dzaakaburitsa pachena dzinofanirwa kushanda neFedora kernel uye zvimwe zvekugovera futi, (asi hazvina kuongororwa).
Kune avo vasingazive nezve Lockdown, ivo vanofanirwa kuziva kuti icho chikamu cheiyo Linux kernel iyo Basa rayo guru ndere kudzikamisa kuwanikwa kwemudzidzi wemidzi mune kernel yesystem uye kuita uku yakaendeswa kune module yeLSM sarudzo yakatakurwa (Linux Security Module), iyo inogadzira chipingamupinyi pakati peUID 0 nekernel, kudzikamisa mamwe mabasa epasi-chikamu.
Izvi zvinobvumira iro rekuvharira basa kuve-rakavakirwa-pane pane kuomesa-coding iyo yakajeka mutemo mukati meiyo mashandiro, saka iro rakakiiwa rakabatanidzwa muLinux Security Module inopa kumisikidzwa neyakareruka mutemo yakagadzirirwa kushandiswa kwese. Iyi bumbiro inopa huwandu hwenzvimbo inodzora kuburikidza nekernel yekuraira mutsara.
Nezve kukiya
Iko inovhara midzi kupinda kune kernel uye inovhara UEFI yakachengeteka bhutsu inopfuura nzira.
Semuenzaniso, mune yekukiya modhi, kupinda kune / dev / mem, / dev / kmem, / dev / port, / proc / kcore, debugfs, debug mode kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS, pakati pevamwe, mamwe maumbirwo ari inogumira pamwe ne ACPI uye MSR zvinyorwa zve CPU.
Ipo kexec_file uye kexec_load mafoni akavharirwa, nzira yekurara inorambidzwa, kushandiswa kweDMA yezvigadzirwa zvePCI kunogumira, kuunzwa kweACPI kodhi kubva kuEFI variables kwakarambidzwa, uye manomano ane ekuisa / ekuburitsa madoko, kusanganisira shanduko yenhamba yekukanganisa uye chiteshi cheI / O chengarava ye serial.
Sekugona kuziva vamwe, mashandiro e kukiya kwakawedzerwa muLinux kernel 5.4, asi ichiri kuitwa muchimiro chezvimedu kana kuwedzeredzwa nezvimedu pamakwenzi anopiwa pamwe chete nekuparadzirwa.
Pano, mumwe wemusiyano uripo pakati pemapulagini akapihwa mukuparadzirwa uye yakadzamidzirwa kernel kuitisa kugona kudzima iro bhagi rakapihwa kana paine mukana wekuwana kune system.
Ubuntu naFedora vanoshandisa kiyi musanganiswa Alt + SysRq + X kudzima kukiya. Izvo zvinonzwisiswa kuti mubatanidzwa Alt + SysRq + X inogona kungoshandiswa chete nekuwana panyama kuchigadzirwa uye kana pakaitika kurwisa kuri kure uye kuwana midzi, uyo anorwisa haazokwanisa kuremadza kukiya.
Lockdown inogona kuremara kure
Andrei Konovalov akaratidza izvozvo nzira dzine chekuita nekhibhodi yezve kusimbisa kuvapo kwemunhu mushandisi hakubatsiri.
The yakazivisa kuti nzira iri nyore yekuremadza iro kiyi ndeyekuteedzera Dhinda Alt + SysRq + X kuburikidza / dev / uinput, asi iyi sarudzo inotanga yakavharwa.
Asi, dzimwe nzira mbiri dzinotsiva Alt + SysRq + X.
- Nzira yekutanga inosanganisira kushandisa chinongedzo sysrq-inotangisa: kutevedzera, ingo gonesa iyi interface nekutaipa "1" mu / proc / sys / kernel / sysrq wobva wonyora "x" mukati / proc / sysrq-inotanga.
Iri gaka rakagadziriswa muna Zvita Ubuntu kernel yekuvandudza uye muFedora 31. Zvinotarisirwa kuti vanogadzira, sezvazvakaita mune / dev / uinput, ivo pakutanga vakaedza kuvharira nzira iyi, asi kuvharira hakuna kushanda nekuda kwedhivha iri mukodhi. - Maitiro echipiri kutevedzera iyo keyboard kuburikidza neUSB / IP wobva watumira iyo Al + SysRq + X kuteedzana kubva kuiyo chaiyo keyboard.
Mune kernel, USB / IP inopihwa neUbuntu inogoneswa nekutadza uye ma module usbip_core y vhci_hcd zvinodikanwa zvinopihwa nesiginicha inodiwa yedhijitari.
Anorwisa anogona kugadzira chaiyo USB chishandiso nekumhanyisa network network pane iyo loopback interface uye kuibatanidza seiri kure USB chishandiso uchishandisa USB / IP.
Iyo nzira yakatsanangurwa yakataurwa kune vanogadzira Ubuntu, asi mhinduro haisati yaburitswa.
mabviro: https://github.com