LWN
LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
URL: https://lwn.net
Updated: 1 hour 25 min ago
[$] Unexporting kallsyms_lookup_name()
One of the basic rules of kernel-module development is that modules can
only access symbols (functions and data structures) that have been
explicitly exported. Even then, many symbols are restricted so that only
modules with a GPL-compatible license can access them. It turns out,
though, that there is a readily available workaround that makes it easy for
a module to access any symbol it wants. That workaround seems likely to be
removed soon despite some possible inconvenience for some out-of-tree
users; the reason why that is happening turns out to be relatively
interesting.
Security updates for Friday
Security updates have been issued by CentOS (java-1.7.0-openjdk and ppp), Debian (libimobiledevice, libusbmuxd, and pure-ftpd), Fedora (caddy, firejail, golang-github-gorilla-websocket, golang-vitess, hugo, mingw-libpng, php, and proftpd), openSUSE (chromium, enigmail, ipmitool, libsolv, libzypp, zypper, weechat, and yast2-rmt), Oracle (java-1.7.0-openjdk and ppp), Red Hat (java-1.7.0-openjdk and ppp), Scientific Linux (java-1.7.0-openjdk and ppp), and SUSE (java-1_8_0-ibm, kernel, mariadb, mariadb-100, openssl, php5, python, rsyslog, and texlive-filesystem).
[$] An end to high memory?
This
patch from Johannes Weiner seemed like a straightforward way to improve
memory-reclaim performance; without it, the virtual filesystem layer throws
away memory that the memory-management subsystem thinks is still worth
keeping. But that patch quickly ran afoul of a feature (or "misfeature"
depending on who one asks) from the distant past,
one which goes by the name of "high memory". Now, more than 20 years after its
addition, high memory may be
brought down low, as developers consider whether it should be deprecated
and eventually removed from the kernel altogether.
Security updates for Thursday
Security updates have been issued by CentOS (kernel, ksh, python-pillow, and thunderbird), Debian (opensmtpd, proftpd-dfsg, and rake), Fedora (NetworkManager-ssh), openSUSE (chromium), and SUSE (libexif, mariadb, ovmf, python3, and squid).
[$] LWN.net Weekly Edition for February 27, 2020
The LWN.net Weekly Edition for February 27, 2020 is available.
[$] Impedance matching for BPF and LSM
The "kernel runtime security instrumentation" (KRSI) patch set has been
making the rounds over the past few months; the idea is to use the Linux
security module (LSM) hooks as a way to detect, and potentially deflect,
active attacks against a running system.
It does so by allowing BPF programs to be attached to the LSM hooks. That has
caused some concern in the past about exposing the
security hooks as external kernel APIs, which makes them potentially
subject to the "don't break user space" edict. But
there has been no real objection
to the goals of KRSI. The fourth version
of the patch set was posted
by KP Singh on February 20; the concerns raised this time are about
its impact on the LSM infrastructure.
Security updates for Wednesday
Security updates have been issued by Debian (python-pysaml2), Mageia (clamav, graphicsmagick, opencontainers-runc, squid, and xmlsec1), Oracle (kernel, ksh, python-pillow, systemd, and thunderbird), Red Hat (rh-nodejs12-nodejs), Scientific Linux (ksh, python-pillow, and thunderbird), and SUSE (nodejs6, openssl, ppp, and squid).
[$] A look at "BPF Performance Tools"
BPF has exploded within the Linux world
over the last few years, growing
from its networking roots into the go-to tool for running custom
in-kernel programs. Its role seems to expand with every kernel release
into diverse areas such as security and device control. But none of that
is the focus of a relatively new book from Brendan Gregg, BPF
Performance Tools; it looks, instead, at how BPF provides visibility into
the guts of the kernel. Finding performance bottlenecks of
various sorts on (generally large) production systems is an area where BPF
and the tool set that has grown up around it can excel; Gregg's book
describes that landscape in great depth.
Manjaro 19.0 released
Version
19 of the Arch-based Manjaro distribution is out.
"The Xfce edition remains our flagship offering and has received the
attention it deserves. Only a few can claim to offer such a polished,
integrated and leading-edge Xfce experience. With this release we ship Xfce
4.14 and have mostly focused on polishing the user experience with the
desktop and window manager. Also we have switched to a new theme called
Matcha. A new feature Display-Profiles allows you to store one or more
profiles for your preferred display configuration. We also have implemented
auto-application of profiles when new displays are connected."
FSF to launch code hosting
The Free Software Foundation has announced
that it is planning to launch a public code hosting and collaboration
platform later this year. "We plan on contributing improvements
upstream for the new forge software we choose, to boost its score on [GNU
ethical repository] criteria. Our tech team is small for the size of the
network we maintain, and we don't have any full-time developers who work
for the FSF, so we are limited in the amount of time we can spend on the
software we choose. We'll communicate with the upstream developers to
request improvements and help clarify any questions related to the ethical
repository criteria."
Security updates for Tuesday
Security updates have been issued by Debian (curl and otrs2), Fedora (NetworkManager-ssh and python-psutil), Mageia (ipmitool, libgd, libxml2_2, nextcloud, radare2, and upx), openSUSE (inn and sudo), Oracle (kernel, ksh, python-pillow, and thunderbird), Red Hat (curl, kernel, nodejs:10, nodejs:12, procps-ng, rh-nodejs10-nodejs, ruby, and systemd), SUSE (dpdk, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libexif, libvpx, nodejs10, nodejs8, openssl1, pdsh, slurm_18_08, python-azure-agent, python3, and webkit2gtk3), and Ubuntu (libapache2-mod-auth-mellon, libpam-radius-auth, and rsync).
[$] watch_mount(), watch_sb(), and fsinfo() (again)
Filesystems, by design, hide a lot of complexity from users. At times,
though, those users need to be able to look inside the black box and extract
information about what is going on within a filesystem. Answering this
need is David Howells, the creator of a number of filesystem-oriented
system calls; in this
patch set he tries to add three more, one of which we have seen before
and two of which are new.
Kernel prepatch 5.6-rc3
The 5.6-rc3 kernel prepatch is out for
testing. Linus says: "Fairly normal rc3 as far as I can tell. We've
seen bigger, but we've
seen smaller ones too. Maybe this is slightly on the low side of
average at this time, which would make sense since this was a smaller
merge window. Anyway, too much noise in the signal to be sure either
way."
Security updates for Monday
Security updates have been issued by Debian (libpam-radius-auth, pillow, ppp, proftpd-dfsg, and python-pysaml2), Fedora (firefox, glib2, hiredis, http-parser, libuv, mingw-openjpeg2, nghttp2, nodejs, openjpeg2, python-pillow, skopeo, and webkit2gtk3), Mageia (patch, postgresql, and systemd), Red Hat (ksh, nodejs:10, openjpeg2, python-pillow, systemd, and thunderbird), and SUSE (java-1_7_1-ibm, libsolv, libzypp, zypper, pdsh, slurm_18_08, and php53).
[$] CAP_PERFMON — and new capabilities in general
The perf_event_open()
system call is a complicated beast, requiring a fair amount of study to
master. This call also has some interesting security implications: it can
be used to obtain a lot of information about the running system, and the
complexity of the underlying implementation has made it more than usually
prone to unpleasant bugs. In current kernels, the security controls around
perf_event_open() are simple, though: if you have the
CAP_SYS_ADMIN capability, perf_event_open() is available
to you (though the system administrator can make it available without any
privilege at all). Some
current work to create a new capability for the perf events subsystem would
seem to make sense, raising the question of why adding new capabilities
isn't done more often.
Security updates for Friday
Security updates have been issued by CentOS (openjpeg2), Debian (cloud-init, jackson-databind, and python-reportlab), Red Hat (ksh, python-pillow, systemd, and thunderbird), Slackware (proftpd), SUSE (java-1_7_0-ibm, nodejs10, and nodejs12), and Ubuntu (ppp and squid, squid3).
[$] Memory-management optimization with DAMON
To a great extent, memory management is based on making predictions: which
pages of memory will a given process need in the near future?
Unfortunately, it turns out that predictions are hard, especially when they
are about future events. In the absence of useful information sent back from
the future, memory-management subsystems are forced to rely on observations
of recent behavior and an assumption that said behavior is likely
to continue. The kernel's memory-management decisions are
opaque to user space, though, and often result in less-than-optimal
performance. A pair of patch sets from SeongJae
Park tries to make memory-usage patterns visible to user space, and to let
user space change memory-management decisions in response.
Security updates for Thursday
Security updates have been issued by Debian (netty and netty-3.9), Fedora (ceph, dovecot, poppler, and webkit2gtk3), openSUSE (inn and rmt-server), Oracle (openjpeg2), Red Hat (rabbitmq-server), Scientific Linux (openjpeg2), SUSE (dnsmasq, rsyslog, and slurm), and Ubuntu (php7.0).
[$] LWN.net Weekly Edition for February 20, 2020
The LWN.net Weekly Edition for February 20, 2020 is available.
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Security and FUD: Updates, Keeper, WireGuard and Concerns About 2038
| The Chrome Cast 50: Linux on Chromebooks and the future of Chrome OS tablets
This week on The Chrome Cast, we’re exploring a couple seemingly-unconnected ideas that actually tie into one another quite well. First up is the heightened interest in Linux apps on Chrome OS. While we’ve been tracking along with the development of Crostini since before it was actually a thing, it’s been a while since we’ve really dug into what Chromebooks are capable of with Linux. As part of that renewed effort, we’ve launched Command Line, where we are focusing more on what users can do and get done with Linux apps on their Chromebook.
|
Linux-powered module charges up the RISC-V PolarFire SoC
Aries’ “M100PFS” module runs Linux on Microchip’s RISC-V based PolarFire SoC with FPGAs up to 265K LE. Features include up to 8GB LPDDR4, up to 64GB eMMC, and support for up to 16x SERDES lanes.
Aries Embedded announced one of the first compute modules equipped with the PolarFire SoC, a Linux-powered, FPGA-enabled RISC-V SoC from Microchip’s Microsemi unit (see farther below). The M100PFS has the same 74 x 42mm footprint as Aries’ similar M100PF module, which is equipped with the PolarFire FPGA without the Linux-ready RISC-V cores.
| Android as a Desktop
|
.svg_.png)
Content (where original) is available under CC-BY-SA, copyrighted by original author/s.
Recent comments
12 min 7 sec ago
15 min 12 sec ago
3 hours 5 min ago
3 hours 33 min ago
3 hours 34 min ago
3 hours 45 min ago
4 hours 30 min ago
5 hours 5 min ago
5 hours 35 min ago
13 hours 48 min ago