Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 42 min ago

Bad Binder: Android In-The-Wild Exploit (Project Zero)

4 hours 54 min ago
Over on the Project Zero blog, Maddie Stone has a lengthy post about a zero-day exploit that was found and fixed in the Android Binder interprocess communication mechanism. The post details the search for the problem, which was apparently being used in the wild, its fix, and how it can be exploited. This is all part of an effort to "make zero-day hard"; one of the steps the project is taking is to disseminate more information on these bugs. "Complete detailed analysis of the 0-days from the point of view of bug hunters and exploit developers and share it back with the community. Transparency and collaboration are key. We want to share detailed root cause analysis to inform developers and defenders on how to prevent these types of bugs in the future and improve detection. We hope that by publishing details about the exploit and its methodology, this can inform threat intelligence and incident responders. Overall, we want to make information that’s often kept in silos accessible to all."

[$] Fedora's modularity mess

10 hours 16 min ago
Fedora's Modularity initiative has been no stranger to controversy since its inception in 2016. Among other things, there were enough problems with the original design that Modularity went back to the drawing board in early 2018. Modularity has since been integrated with both the Fedora and Red Hat Enterprise Linux (RHEL) distributions, but the controversy continues, with some developers asking whether it's time for yet another redesign — or to abandon the idea altogether. Over the last month or so, several lengthy, detailed, and heated threads have explored this issue; read on for your editor's attempt to integrate what was said.

Stable kernels 5.3.12, 4.19.85, and 4.14.155

13 hours 45 min ago
Greg Kroah-Hartman has announced the release of the 5.3.12, 4.19.85, and 4.14.155 stable kernels. As usual, they contain fixes throughout the kernel tree; users of those series should upgrade.

Security updates for Thursday

14 hours 6 min ago
Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb).

[$] LWN.net Weekly Edition for November 21, 2019

Thursday 21st of November 2019 12:48:54 AM
The LWN.net Weekly Edition for November 21, 2019 is available.

[$] LSM stacking and the future

Wednesday 20th of November 2019 08:19:53 PM
The idea of stacking (or chaining) Linux security modules (LSMs) goes back 15 years (at least) at this point; progress has definitely been made along the way, especially in the last decade or so. It has been possible to stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for some time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may not seem like a truly important feature, but there is a use case where it is pretty clearly needed: containers. Longtime LSM stacker (and Smack maintainer) Casey Schaufler gave a presentation at the 2019 Linux Security Summit Europe to report on the status and plans for allowing arbitrary LSM stacking.

Security updates for Wednesday

Wednesday 20th of November 2019 03:43:15 PM
Security updates have been issued by Debian (redmine), Fedora (libidn2), Mageia (clamav, ghostscript, kernel, kernel-linus, libexif, libjpeg, mariadb, microcode, and systemd), and openSUSE (libjpeg-turbo).

[$] Enhancing KVM for guest protection and security

Wednesday 20th of November 2019 02:03:09 PM
A key tenet in KVM is to reuse as much Linux infrastructure as possible and focus specifically on processor virtualization. Back in 2007, this meant a smaller code base and less friction with the other kernel subsystems, especially when compared with other virtualization technologies such as Xen. This led to KVM being merged into the mainline with relative ease. A talk at this year's KVM Forum looks at ways to better protect guests, perhaps by moving away from that tenet.

SystemTap 4.2 release

Tuesday 19th of November 2019 06:49:48 PM
SystemTap 4.2 is out. This release features "support for generating backtraces of different contexts; improved backtrace tapset to include file names and line numbers; eBPF support extensions including raw tracepoint access, prometheus exporter, procfs probes and improved looping structures".

[$] A recap of KVM Forum 2019

Tuesday 19th of November 2019 05:00:36 PM
The 13th KVM Forum virtualization conference took place in Lyon, France in October 2019. One might think that development may have finished on the Kernel Virtual Machine (KVM) module that was merged in Linux 2.6.20 in 2007, but this year's conference underscored the amount of work still being done, particularly on side-channel attack mitigation, I/O device assignment with VFIO and mdev, footprint reduction with micro virtual machines (VMs), and with the ability to run VMs nested within VMs. Many talks also involved the virtual machine monitor (VMM) user-space programs that use the KVM kernel module—of which QEMU is the most widely used.

Security updates for Tuesday

Tuesday 19th of November 2019 03:25:24 PM
Security updates have been issued by Debian (python-psutil, slurm-llnl, symfony, and thunderbird), Fedora (gd and ghostscript), and SUSE (ceph, haproxy, java-11-openjdk, and ncurses).

[$] Some near-term arm64 hardening patches

Monday 18th of November 2019 06:36:11 PM
The arm64 architecture is found at the core of many, if not most, mobile devices; that means that arm64 devices are destined to be the target of attackers worldwide. That has led to a high level of interest in technologies that can harden these systems. There are currently several such technologies, based in both hardware and software, that are being readied for the arm64 kernel; read on for a survey on what is coming.

Two stable kernels

Monday 18th of November 2019 04:04:35 PM
Stable kernels 4.9.202 and 4.4.202 have been released. They both contain important fixes and users should upgrade.

Security updates for Monday

Monday 18th of November 2019 03:53:30 PM
Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa).

Kernel prepatch 5.4-rc8

Monday 18th of November 2019 02:06:02 PM
As expected, 5.4-rc8 was released on November 17 rather than the final 5.4 release. "I'm not entirely sure we need an rc8, because last week was pretty calm despite the Intel hw workarounds landing. So I considered just making a final 5.4 and be done with it, but decided that there's no real downside to just doing the rc8 after having a release cycle that took a while to calm down."

[$] Keeping memory contents secret

Friday 15th of November 2019 07:46:51 PM
One of the many responsibilities of the operating system is to help processes keep secrets from each other. Operating systems often fail in this regard, sometimes due to factors — such as hardware bugs and user-space vulnerabilities — that are beyond their direct control. It is thus unsurprising that there is an increasing level of interest in ways to improve the ability to keep data secret, perhaps even from the operating system itself. The MAP_EXCLUSIVE patch set from Mike Rapoport is one example of the work that is being done in this area; it also shows that the development community has not yet really begun to figure out how this type of feature should work.

Security updates for Friday

Friday 15th of November 2019 02:42:08 PM
Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, ImageMagick, kernel, libjpeg-turbo, openconnect, and squid), and Ubuntu (ghostscript, imagemagick, and postgresql-common).

Cook: Security things in Linux v5.3

Friday 15th of November 2019 01:10:05 PM
Kees Cook catches up with the security improvements in the 5.3 kernel. "In recent exploits, one of the steps for making the attacker’s life easier is to disable CPU protections like Supervisor Mode Access (and Execute) Prevention (SMAP and SMEP) by finding a way to write to CPU control registers to disable these features. For example, CR4 controls SMAP and SMEP, where disabling those would let an attacker access and execute userspace memory from kernel code again, opening up the attack to much greater flexibility. CR0 controls Write Protect (WP), which when disabled would allow an attacker to write to read-only memory like the kernel code itself. Attacks have been using the kernel’s CR4 and CR0 writing functions to make these changes (since it’s easier to gain that level of execute control), but now the kernel will attempt to 'pin' sensitive bits in CR4 and CR0 to avoid them getting disabled. This forces attacks to do more work to enact such register changes going forward."

[$] The Yocto Project 3.0 release

Thursday 14th of November 2019 07:26:19 PM
The Yocto Project recently announced its 3.0 release, maintaining the spring/fall cadence it has followed for the past nine years. As well as the expected updates, it contains new thinking on getting the best of two worlds: source builds and prebuilt binaries. This fits well into a landscape where reproducibility and software traceability, all the way through to device updates, are increasingly important to handle complex security issues.

Security updates for Thursday

Thursday 14th of November 2019 02:00:24 PM
Security updates have been issued by Arch Linux (kernel, linux-lts, and linux-zen), CentOS (kernel, sudo, and thunderbird), Debian (linux-4.9), Fedora (samba), openSUSE (apache2-mod_auth_openidc, kernel, qemu, rsyslog, and ucode-intel), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and microcode_ctl), and Ubuntu (kernel, libjpeg-turbo, linux, linux-hwe, linux-oem, linux, linux-hwe, linux-oem-osp1, and qemu).

More in Tux Machines

Yocto-based Torizon distro adds OTA updater

Toradex has released an experimental version of an OTA updater for its new Torizon embedded Linux distribution. Torizon OTA offers fault-tolerant features and supports web-based remote management including grouping of devices into fleets. Read more

Growth of Kubernetes

  • Just how popular is Kubernetes?

    In its study of usage data from thousands of companies and more than 1.5 billion containers, the company found "roughly 45% of Datadog customers running containers use Kubernetes, whether in self-managed clusters or through a cloud service." Not bad for a technology that's just over five years old. What's more telling though is that almost half of all Datadog container users have already turned to Kubernetes. It's Kubernetes' growth rate that really tells the story. In the last year, Kubernetes' numbers of users grew by 10%. In the meantime, other container orchestration programs, such as Marathon and Docker swarm mode, have simply not caught fire. Indeed, their parent companies, D2iQ, formerly Mesosphere, and Docker both started offering Kubernetes to their customers. Need more be said? Datadog also found that Kubernetes is very popular on the public cloud. In particular, managed Kubernetes services such as Google Kubernetes Engine (GKE) dominates the Google Cloud Platform (GCP). Since Kubernetes ancestry goes back to Google that comes as no surprise.

  • Rancher CEO on k3s: Kubernetes is the new Linux; you run it everywhere

    Once, Kubernetes was just some geeky cloud-native project for orchestrating containers (a virtualized method for running distributed applications). Isn’t it funny how it’s worked its way into practically every tech conversation in just a few years? In fact, thanks to technologies that shrink and simplify it, Kubernetes is about to find its way into even more use cases. With the technology and its uses expanding so rapidly, how do we even define it anymore? Sheng Liang (pictured), co-founder and chief executive officer of Rancher Labs Inc., has an idea: “Kubernetes is the new Linux, and you run it everywhere.” Cloud, on-premises data center, bare metal, internet of things edge, Raspberry Pi, surveillance camera? Check. The developer ecosystem is invading more and more spaces through tweaks that make Kubernetes easier than ever to deploy.

Screencasting with OBS Studio on Wayland

For the past few months, I’ve been doing live coding sessions on YouTube showing how GNOME development goes. Usually it’s a pair of sessions per week, one in Brazilian Portuguese so that my beloved community can enjoy GNOME in their native language; and one in English, to give other people at least a chance to follow development as well. We are quite lucky to have OBS Studio available for screencasting and streaming, as it makes our lives a lot easier. It’s really a fantastic application. I learned about it while browsing Flathub, and it’s what actually motivated me to start streaming in the first place. However, I have to switch to X11 in order to use it, since the GNOME screencast plugin never really worked for me. This is annoying since Mutter supports screencasting for years now, and I really want to showcase the latest and greatest while streaming. We’re still not using the appropriate APIs and methods to screencast, which doesn’t set a high standard on the community. So I decided to get my hands dirty, bite the bullet, and fix this situation. And so was born the obs-xdg-portal plugin for OBS Studio! The plugin uses the standard ScreenCast portal, which means it should work inside and outside the Flatpak sandbox, in Wayland and X11, and on GNOME and KDE (and perhaps others?). Read more

Snapcraft secret sauce: KDE neon extension

Simplicity is the magic ingredient in any product design. For members of the KDE community, snap development has become that much simpler, thanks to the recent introduction of the KDE neon extension. Last year, we talked about the KDE build and content snaps, which can greatly speed the build of KDE application snaps and save disk space. The extension takes this effort one step farther, and allows for faster, smoother integration of snaps into the Linux desktop. While there are no shortcuts in life, you can rely on a passionate community of skilled techies to make the journey easier. Read more