After fiddling with the idea for a long time, Linus Torvalds has finally decided to add “lockdown” security feature in Linux Kernel 5.4. The feature will be optional and will be shipped as Linux Security Module in the upcoming Linux 5.4. The feature will bring a major change in how user-space interacts with the Linux kernel. The Lockdown feature in Linux is mainly intended to prevent root account from tampering with kernel code, thus drawing a line between userland processes and the code. The security feature will be disabled by default when it will be shipped. Upon enabling it, even root accounts won’t be able to access certain kernel functionalities, thus protecting the operating system from being affected from a compromised root account. Some of the restrictions included in the Lockdown feature are the prevention of hibernation of the system, blocking write operation to /dev/mem even for root accounts, blocking CPU MSR access, etc.
Submitted by: Arnfried Walbrecht