Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 41 min ago

[$] Virtio without the "virt"

4 hours 20 min ago
When virtio was merged in Linux v2.6.24, its author, Rusty Russell, described the goal as being for "common drivers to be efficiently used across most virtual I/O mechanisms". Today, much progress has been made toward that goal, with virtio supported by multiple hypervisors and guest drivers shipped by many operating systems. But these applications of virtio are implemented in software, whereas Michael Tsirkin's "VirtIO without the Virt" talk at KVM Forum 2019 laid out how to implement virtio in hardware.

Security updates for Friday

11 hours 7 min ago
Security updates have been issued by Fedora (dpdk, mingw-djvulibre, mingw-hunspell, mingw-ilmbase, mingw-OpenEXR, php-symfony, php-symfony3, and rsyslog), openSUSE (chromium and squid), SUSE (aspell, cups, djvulibre, and dpdk), and Ubuntu (djvulibre).

Bad Binder: Android In-The-Wild Exploit (Project Zero)

Thursday 21st of November 2019 11:46:30 PM
Over on the Project Zero blog, Maddie Stone has a lengthy post about a zero-day exploit that was found and fixed in the Android Binder interprocess communication mechanism. The post details the search for the problem, which was apparently being used in the wild, its fix, and how it can be exploited. This is all part of an effort to "make zero-day hard"; one of the steps the project is taking is to disseminate more information on these bugs. "Complete detailed analysis of the 0-days from the point of view of bug hunters and exploit developers and share it back with the community. Transparency and collaboration are key. We want to share detailed root cause analysis to inform developers and defenders on how to prevent these types of bugs in the future and improve detection. We hope that by publishing details about the exploit and its methodology, this can inform threat intelligence and incident responders. Overall, we want to make information that’s often kept in silos accessible to all."

[$] Fedora's modularity mess

Thursday 21st of November 2019 06:24:14 PM
Fedora's Modularity initiative has been no stranger to controversy since its inception in 2016. Among other things, there were enough problems with the original design that Modularity went back to the drawing board in early 2018. Modularity has since been integrated with both the Fedora and Red Hat Enterprise Linux (RHEL) distributions, but the controversy continues, with some developers asking whether it's time for yet another redesign — or to abandon the idea altogether. Over the last month or so, several lengthy, detailed, and heated threads have explored this issue; read on for your editor's attempt to integrate what was said.

Stable kernels 5.3.12, 4.19.85, and 4.14.155

Thursday 21st of November 2019 02:55:31 PM
Greg Kroah-Hartman has announced the release of the 5.3.12, 4.19.85, and 4.14.155 stable kernels. As usual, they contain fixes throughout the kernel tree; users of those series should upgrade.

Security updates for Thursday

Thursday 21st of November 2019 02:33:56 PM
Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb).

[$] LWN.net Weekly Edition for November 21, 2019

Thursday 21st of November 2019 12:48:54 AM
The LWN.net Weekly Edition for November 21, 2019 is available.

[$] LSM stacking and the future

Wednesday 20th of November 2019 08:19:53 PM
The idea of stacking (or chaining) Linux security modules (LSMs) goes back 15 years (at least) at this point; progress has definitely been made along the way, especially in the last decade or so. It has been possible to stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for some time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may not seem like a truly important feature, but there is a use case where it is pretty clearly needed: containers. Longtime LSM stacker (and Smack maintainer) Casey Schaufler gave a presentation at the 2019 Linux Security Summit Europe to report on the status and plans for allowing arbitrary LSM stacking.

Security updates for Wednesday

Wednesday 20th of November 2019 03:43:15 PM
Security updates have been issued by Debian (redmine), Fedora (libidn2), Mageia (clamav, ghostscript, kernel, kernel-linus, libexif, libjpeg, mariadb, microcode, and systemd), and openSUSE (libjpeg-turbo).

[$] Enhancing KVM for guest protection and security

Wednesday 20th of November 2019 02:03:09 PM
A key tenet in KVM is to reuse as much Linux infrastructure as possible and focus specifically on processor virtualization. Back in 2007, this meant a smaller code base and less friction with the other kernel subsystems, especially when compared with other virtualization technologies such as Xen. This led to KVM being merged into the mainline with relative ease. A talk at this year's KVM Forum looks at ways to better protect guests, perhaps by moving away from that tenet.

SystemTap 4.2 release

Tuesday 19th of November 2019 06:49:48 PM
SystemTap 4.2 is out. This release features "support for generating backtraces of different contexts; improved backtrace tapset to include file names and line numbers; eBPF support extensions including raw tracepoint access, prometheus exporter, procfs probes and improved looping structures".

[$] A recap of KVM Forum 2019

Tuesday 19th of November 2019 05:00:36 PM
The 13th KVM Forum virtualization conference took place in Lyon, France in October 2019. One might think that development may have finished on the Kernel Virtual Machine (KVM) module that was merged in Linux 2.6.20 in 2007, but this year's conference underscored the amount of work still being done, particularly on side-channel attack mitigation, I/O device assignment with VFIO and mdev, footprint reduction with micro virtual machines (VMs), and with the ability to run VMs nested within VMs. Many talks also involved the virtual machine monitor (VMM) user-space programs that use the KVM kernel module—of which QEMU is the most widely used.

Security updates for Tuesday

Tuesday 19th of November 2019 03:25:24 PM
Security updates have been issued by Debian (python-psutil, slurm-llnl, symfony, and thunderbird), Fedora (gd and ghostscript), and SUSE (ceph, haproxy, java-11-openjdk, and ncurses).

[$] Some near-term arm64 hardening patches

Monday 18th of November 2019 06:36:11 PM
The arm64 architecture is found at the core of many, if not most, mobile devices; that means that arm64 devices are destined to be the target of attackers worldwide. That has led to a high level of interest in technologies that can harden these systems. There are currently several such technologies, based in both hardware and software, that are being readied for the arm64 kernel; read on for a survey on what is coming.

Two stable kernels

Monday 18th of November 2019 04:04:35 PM
Stable kernels 4.9.202 and 4.4.202 have been released. They both contain important fixes and users should upgrade.

Security updates for Monday

Monday 18th of November 2019 03:53:30 PM
Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa).

Kernel prepatch 5.4-rc8

Monday 18th of November 2019 02:06:02 PM
As expected, 5.4-rc8 was released on November 17 rather than the final 5.4 release. "I'm not entirely sure we need an rc8, because last week was pretty calm despite the Intel hw workarounds landing. So I considered just making a final 5.4 and be done with it, but decided that there's no real downside to just doing the rc8 after having a release cycle that took a while to calm down."

[$] Keeping memory contents secret

Friday 15th of November 2019 07:46:51 PM
One of the many responsibilities of the operating system is to help processes keep secrets from each other. Operating systems often fail in this regard, sometimes due to factors — such as hardware bugs and user-space vulnerabilities — that are beyond their direct control. It is thus unsurprising that there is an increasing level of interest in ways to improve the ability to keep data secret, perhaps even from the operating system itself. The MAP_EXCLUSIVE patch set from Mike Rapoport is one example of the work that is being done in this area; it also shows that the development community has not yet really begun to figure out how this type of feature should work.

Security updates for Friday

Friday 15th of November 2019 02:42:08 PM
Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, ImageMagick, kernel, libjpeg-turbo, openconnect, and squid), and Ubuntu (ghostscript, imagemagick, and postgresql-common).

Cook: Security things in Linux v5.3

Friday 15th of November 2019 01:10:05 PM
Kees Cook catches up with the security improvements in the 5.3 kernel. "In recent exploits, one of the steps for making the attacker’s life easier is to disable CPU protections like Supervisor Mode Access (and Execute) Prevention (SMAP and SMEP) by finding a way to write to CPU control registers to disable these features. For example, CR4 controls SMAP and SMEP, where disabling those would let an attacker access and execute userspace memory from kernel code again, opening up the attack to much greater flexibility. CR0 controls Write Protect (WP), which when disabled would allow an attacker to write to read-only memory like the kernel code itself. Attacks have been using the kernel’s CR4 and CR0 writing functions to make these changes (since it’s easier to gain that level of execute control), but now the kernel will attempt to 'pin' sensitive bits in CR4 and CR0 to avoid them getting disabled. This forces attacks to do more work to enact such register changes going forward."