U-Andrey Konovalov Unjiniyela we-Google software, wembule indlela yokukhubaza ukude ukuvikelwa kusuka ku- i-lockdown enikelwe ku-Linux kernel enikezwe ku-Ubuntu. Ngayiphi kukhombisa ukuthi izindlela zokuvikela azisebenzi, futhi ubuye asho nokuthi izindlela azidalulile ngokwemfundiso kufanele zisebenze neFedora kernel nokunye ukusatshalaliswa futhi, (kepha akuhloliwe).
Okwalabo abangazi nge-Lockdown, kufanele bazi ukuthi yingxenye ye-Linux kernel leyo Umsebenzi wawo omkhulu ukukhawulela ukufinyelela komsebenzisi wezimpande ku-kernel yohlelo nalokhu kusebenza ihanjiswe kumodyuli ye-LSM ilayishwe ngokuzithandela (i-Linux Security Module), okuyi isungula umgoqo phakathi kwe-UID 0 ne-kernel, kukhawula imisebenzi ethile esezingeni eliphansi.
Lokhu kuvumela umsebenzi wokukhiya ukuthi ususelwe kwinqubomgomo kunokuba ufake ikhodi enzima kunqubomgomo ebekiwe ngaphakathi kohlelo, ngakho-ke ilokhi efakwe kwi-Linux Security Module inikeza ukusetshenziswa ngenqubomgomo elula yenzelwe ukusetshenziswa okujwayelekile. Le nqubomgomo inikeza izinga lembumbulu elilawulekayo kulayini womyalo we-kernel.
Mayelana nokukhiya phansi
Ingidi ivimbela ukufinyelela kwezimpande ku-kernel futhi ivimba izindlela zokudlula ze-UEFI eziphephile.
Isibonelo, kwimodi yokukhiya, ukufinyelela ku / dev / mem, / dev / kmem, / dev / port, / proc / kcore, debugfs, mode debug kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS, phakathi kokunye, ezinye izixhumi Kunomkhawulo kanye namarejista e-ACPI ne-MSR we-CPU.
Ngenkathi izingcingo ze-kexec_file ne-kexec_load zivaliwe, imodi yokulala ivinjelwe, ukusetshenziswa kwe-DMA yamadivayisi we-PCI kunqunyelwe, ukungenisa ikhodi ye-ACPI kusuka kokuguquguqukayo kwe-EFI akuvumelekile, nokukhohliswa ngamachweba wokufaka / wokukhipha, kufaka phakathi ukushintsha inombolo yokuphazamiseka kanye no-I / O itheku ethekwini le-serial.
Njengoba abanye bengazi, indlela ye- i-lockdown ingezwe ku-Linux kernel 5.4, kepha isasetshenziswa ngendlela yezimagqabhagqabha noma yengezwe ngamachashazi ezinhlamvu zezinhlamvu ezinikezwe ukwabiwa.
Lapha, omunye umehluko phakathi kwama-plugins anikezwe ekusatshalalisweni nasekuqalisweni kernel okushumekiwe yikhono lokukhubaza ilokhi enikeziwe lapho kunokutholakala komzimba kohlelo.
Ubuntu noFedora basebenzisa inhlanganisela yokhiye I-Alt + SysRq + X ukukhubaza ukukhiya. Kuyaqondakala ukuthi inhlanganisela I-Alt + SysRq + X ingasetshenziswa kuphela ngokufinyelela okungokwenyama kudivayisi futhi uma kwenzeka kuhlaselwa okukude nokufinyelela kwezimpande, umhlaseli ngeke akwazi ukukhubaza ukukhiya.
Ukukhiya kungakhutshazwa ukude
U-Andrei Konovalov wakufakazela lokho izindlela ezihlobene nekhibhodi ze Ukuqinisekisa ubukhona bomsebenzisi uqobo akusebenzi.
He uveze ukuthi indlela elula yokukhubaza ukukhiya kungaba ukulingisa cindezela I-Alt + SysRq + X ngokusebenzisa / dev / uinput, kepha le nketho ivinjelwe ekuqaleni.
Kodwa, okungenani ezinye izindlela ezimbili zokufaka esikhundleni I-Alt + SysRq + X.
- Indlela yokuqala ifaka ukusebenzisa i-interface sysrq-inhlamvu: ukulingisa, vele unike amandla le interface ngokuthayipha u- "1" ku / proc / sys / kernel / sysrq bese uthayipha u- "x" ku / proc / sysrq-inhlamvu.
Leli gebe laxazululwa ku-December Ubuntu kernel update nakuFedora 31. Kuyaphawuleka ukuthi abathuthukisi, njengakwisimo se / dev / uinput, ekuqaleni bazamile ukuvimba le ndlela, kepha ukuvimba akuzange kusebenze ngenxa yesiphazamiso esikukhodi. - Indlela yesibili ukulingisa ikhibhodi nge-USB / IP bese uthumela ukulandelana kwe-Alt + SysRq + X kusuka kukhibhodi ebonakalayo.
Ku-kernel, i-USB / IP enikezwe yi-Ubuntu inikwe amandla ngokuzenzakalela kanye namamojula usbip_core y evci_hcd okudingekayo kunikezwa nesiginesha edingekayo yedijithali.
Umhlaseli angakha idivayisi ebonakalayo ye-USB ngokusebenzisa isilawuli senethiwekhi kusixhumi esibonakalayo se-loopback futhi ayixhume njengedivayisi ekude ye-USB isebenzisa i-USB / IP.
Indlela ebekiwe ibikiwe kubathuthukisi be-Ubuntu, kepha isixazululo asikakhishwa okwamanje.
Umthombo: https://github.com