After numerous years of review, discussion and code rewriting, Linus Torvalds Linux kernel through a new security feature that is called "locked" (lockdown).
This new feature will act as LSM (Linux Security Module, Linux Security Module) included in the upcoming release of the Linux kernel 5.4. Because of the risk of damage to the existing system, so the feature is optional and is not enabled by default.
This new lock feature is designed to prevent tampering with the root account kernel code to draw a line between the user mode process and code. With this feature enabled, even if the root account can not access some kernel functions to protect the operating system from damage to the root account.
Linus Torvalds said that after locking module is enabled, all kinds of kernel functionality will be limited. Wherein the access restriction includes a kernel function; blocking read and write operations to / dev / mem is; limit access CPU MSR; and the like to prevent the system goes to sleep.
Lock function supports two different modes that can be used to activate different levels of restrictions. "Integrity" (integrity) mode prevents the user to modify the kernel functions are running. Another "confidentiality" (confidentiality) mode will prevent users from extracting confidential information from the kernel.
Research kernel lock function began in the early 2010s, now led by Google engineer Matthew Garrett. The idea behind this feature is to create a security mechanism to prevent users with privileges (even the "root" account) tampering with the kernel code.
At that time, even if the Linux system uses a secure boot mechanism, malware can still tamper with the kernel code has a special elevated privileges such as drivers and root account by abuse. Over the years, many security experts have been asking the Linux kernel to support a more effective way to limit the root account, and to improve the security kernel.
When first proposed this feature, Linus Torvalds himself is one of the biggest opponents, which he made a lot of criticism. As a result, many Linux distributions developed its own Linux kernel patches that are added on top of the mainline kernel lock function. Until 2018, the support and the opposition gradually reach a middle ground, work on lock function in this year finally made new progress.
After the approval of new features, but also Linux and network security community has been widely welcomed. For details, see the announcement:
Source: ZDNet