When we talk about Linux, the first thing that comes to mind for many is the terminal, but also security. Although there is no perfect operating system, the way the penguin's operating systems handle permissions makes vulnerabilities difficult to exploit. But everything can improve, security included, and Linux 5.4 will include a new security module that they have called Lockdown.
Linus Torvalds approved the feature last Saturday, after it was up for debate for several years. The module will arrive in Linux 5.4, the version of the kernel that is now receiving function requests, but it will be disabled by default. It will be an LSM (Linux Securiry Module or Linux security module) and the decision not to activate it by default has been made because the changes could cause the operating system to malfunction.
Lockdown will be disabled by default in Linux 5.4
La Main function Lockdown will strengthen the division between user processes and kernel code preventing even an administrator account from interacting with the kernel code Linux, something that can be done so far. The new LSM will restrict some kernel functions, preventing root accounts from compromising the rest of the operating system. Among other things, Lockdown will restrict access to kernel functions that allow arbitrary execution of code provided by userland processes, it will lock processes from being able to read / write to memories / dev / mem y / dev / kmem and access to open / dev / port.
There will be two Lockdown modes: "integrity" and "confidentiality", each one is unique and restricts access to different kernel functionalities:
If it is set to integrity, the kernel functions that allow userland to modify the kernel are disabled. If it is set to confidential, the kernel functions that allow userland to extract information from the kernel is also disabled.
This is an important step on the road to making Linux even more secure, one that has been under discussion since 2010. Probably, as of April 2020 Let's publish less news related to security bugs fixed by Canonical thanks to a feature that will be available from December.
