Linus Torvalds lockdown mode on Linux Kernel

After years of discussion and rewriting , Linus Torvalds approved το Σάββατο ένα νέο ασφάλειας για τον πυρήνα του Linux, το οποίο ονομάζεται “lockdown”.

The new feature will come as an LSM (Linux Security Module) to the Kernel that will be released soon and will be disabled by default. Its use will be optional due to the risk of knocking down existing systems.


The main function of the new feature will be to bridge the gap between the user processes and the core code, even preventing the root account from interact with the Kernel code, something that could have happened to date.

When enabled, the "lock" feature will restrict some kernel functionality, even for the root user, making it harder for attackers with root privileges to compromise the rest of the operating system.

“Το lockdown έχει σκοπό να επιτρέψει στους πυρήνες να κλειδώνονται νωρίς κατά την εκκίνησης”, δήλωσε ο Matthew Garrett, μηχανικός της Google που πρότεινε το χαρακτηριστικό αυτό χρόνια πριν.

"Once enabled, various kernel functions will be limited," said Linus Torvalds.

This includes restricting access to kernel functions that can allow the execution of arbitrary code provided by user processes:

Διεργασίες δέσμευσης από την εγγραφή ή την ανάγνωση μνήμης /dev/mem και /dev/kmem .

Block access to / dev / port.

Implement kernel module signatures and much more listed here.

The new module will support two ways of locking, which in the description are referred to as "integrity" and "confidentiality" (integrity and confidentiality).

Each mode is unique and will limit access to different kernel functions.

“Εάν έχει ρυθμιστεί στο ακεραιότητα, οι του πυρήνα που επιτρέπουν στον user να τροποποιήσει τον τρέχοντα πυρήνα θα είναι απενεργοποιημένες”, ανέφερε ο Torvalds.

"If set to privacy, the kernel capabilities that allow the user to extract confidential information from the kernel will also be disabled."

Discussions about the kernel's lockdown mode began at the beginning of the decade by Google engineer Matthew Garrett.

The idea behind this feature was to create a security mechanism that would prevent users from having increased privileges (even the "root" account) so that they could not violate the kernel code.

Τότε, αν και τα συστήματα Linux χρησιμοποιούσαν ασφαλείς μηχανισμούς εκκίνησης (secure ), υπήρχαν  τρόποι με τους οποίους ένα κακόβουλο λογισμικό θα μπορούσε να καταχραστεί τα drivers, τους root λογαριασμούς και τους λογαριασμούς χρηστών με ειδικά αυξημένα προνόμια για να παραβιάσουν τον κώδικα του πυρήνα.

Many security experts have been calling for the blocking of the kernel in recent years, but Torvalds did not particularly agree in the early days.

As a result, many Linux distributions, such as Red Hat, have developed their own containing the lock feature. But this year we will see the new feature in all distributions! The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).