Linus Torvalds permitted on Saturday brand new security features for the Linux kernel, named “lockdown.”
The brand new feature will ship as an LSM (Linux Security Module) in the soon-to-be-released Linux kernel 5.4 branch, where will probably be turned off by default; usage will remain optional because of the risk of breaking existing systems.
The brand new feature’s primary function can be to strengthen the divide between userland processes and kernel code by preventing even the root account from interacting with kernel code one thing that it has been able to do, by design, until now.
When enabled, the brand new “lockdown” feature will limit some kernel functionality, even for the root user, making it harder for compromised root accounts to compromise the rest of the OS.
This contains restricting access to kernel features that will permit arbitrary code execution through code supplied by userland processes; blocking processes from writing or reading /dev/mem and /dev/kmem memory; block access to opening /dev/port to prevent raw port access; enforcing kernel module signatures; and plenty of more others.
The brand new module will support two lockdown modes, specifically “integrity” and “confidentiality.” Everything is unique and restricts access to different kernel functionality.
If needed, extra lockdown modes may be added on top; however, it will require an external patch, on top of the lockdown LSM.