After years of countless reviews, discussions, and code rewrites, Linus Torvalds approved on Saturday a new security feature for the Linux kernel, named “lockdown.”
The new feature will ship as a LSM (Linux Security Module) in the soon-to-be-released Linux kernel 5.4 branch, where it will be turned off by default; usage being optional due to the risk of breaking existing systems.
Putting a leash on the root account
The new feature’s primary function will be to strengthen the divide between userland processes and kernel code by preventing even the root account from interacting with kernel code — something that it’s been able to do, by design, until now.
When enabled, the new “lockdown” feature will restrict some kernel functionality, even for the root user, making it harder for compromised root accounts to compromise the rest of the OS.
“The lockdown module is intended to allow for kernels to be locked down early in [the] boot [process],” said Matthew Garrett, the Google engineer who proposed the feature a few years back.
“When enabled, various pieces of kernel functionality are restricted,” said Linus Torvalds, Linux kernel creator, and the one who put the final stamp of approval on the module yesterday.
This includes restricting access to kernel features that may allow arbitrary code execution via code supplied by userland processes; blocking processes from writing or reading /dev/mem and /dev/kmem memory; block access to opening /dev/port to prevent raw port access; enforcing kernel module signatures; and many more others, detailed here.
Two lockdown modes
The new module will support two lockdown modes, namely “integrity” and “confidentiality.” Each is unique, and restricts access to different kernel functionality.
“If set to integrity, kernel features that allow userland to modify the running kernel are disabled,” said Torvalds.
“If set to confidentiality, kernel features that allow userland to extract confidential information from the kernel are also disabled.”
If necessary, additional lockdown modes can also be added on top, but this will require an external patch, on top of the lockdown LSM.
A long time coming
Work on the kernel lockdown feature started in the early 2010s, and was spearheaded by now-Google engineer, Matthew Garrett.
The idea behind the kernel lockdown feature was to create a security mechanism to prevent users with elevetated permissions — even the vaunted “root” account — from tampering with the kernel’s code.
Back then, even if Linux systems were employing secure boot mechanisms, there were still ways that malware could abuse drivers, root accounts, and user accounts with special elevated privileges to tamper with the kernel’s code, and by doing so, gain boot persistence and a permanent foothold on infected systems.
Many security experts have asked across the years that the Linux kernel support a more potent way to restrict the root account and improve kernel security.
The main opposition came from Torvalds, who was one of the feature’s most ardent critics, especially in its early days.
As a result, many Linux distros, such as Red Hat, developed their own Linux kernel patches that added a lockdown feature on top of the mainline kernel. However, the two parties reached a middleground in 2018, and work progressed on the lockdown feature this year.
“The majority of mainstream distributions have been carrying variants of this patchset for many years now, so there’s value in providing a doesn’t meet every distribution requirement, but gets us much closer to not requiring external patches,” Torvalds said yesterday.
“Applications that rely on low-level access to either hardware or the kernel may cease working as a result – therefore this should not be enabled without appropriate evaluation beforehand.”
The news that a kernel lockdown module has been finally approved has been greeted positively in the Linux and cyber-security communities.