LWN.net

One of the first uses of the BPF virtualmachine outside of networking was to implement access-control policiesfor the seccomp()system call. Since then, though, the role of BPF in the security area hasnot changed much in the mainline kernel, even though BPF has evolvedconsiderably from the "classic" variant still used with seccomp()to the "extended" BPF now supported by the kernel. That has not been for alack of trying, though. The out-of-tree Landlock security module was covered here over three years ago. We also looked at the kernel runtime securityinstrumentation (KRSI) patch set in September. KP Singh has posted a newKRSI series, so the time seems right for a closer look.

Andrew 'bunnie' Huang has posted a detailed article onwhy creating trustable hardware is so difficult and describing a projecthe's working on to do it anyway. "While open hardware has the opportunity toempower users to innovate and embody a more correct and transparent designintent than closed hardware, at the end of the day any hardware ofsufficient complexity is not practical to verify, whether open orclosed. Even if we published the complete mask set for a modernbillion-transistor CPU, this 'source code' is meaningless without apractical method to verify an equivalence between the mask set and the chipin your possession down to a near-atomic level without simultaneouslydestroying the CPU."

Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby).

Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm).

Security updates have been issued by Debian (cups, cyrus-sasl2, tightvnc, and x2goclient), Fedora (cacti and cacti-spine), openSUSE (mariadb and samba), Oracle (fribidi, git, and python), Red Hat (fribidi, libyang, and qemu-kvm-rhev), Slackware (openssl and tigervnc), and SUSE (firefox, nspr, nss and kernel).

The third 5.5 kernel prepatch is out; itwas a bit bigger than Linus would have liked."Anyway, I'm hoping rc3 is a one-off. In fact, with the holiday seasoncoming up, I'd be very surprised indeed if it wasn't. So I suspectthings will calm down a lot over the next couple of weeks, but pleasedo use the down-time to do some extra testing instead, ok?"

The5.4.6,4.19.91,4.14.160,4.9.207, and4.4.207stable kernel updates have all been released; each contains another set ofimportant fixes.

The Linux control-group mechanism was designed to make it easy to assignprocesses to groups or move them around; it is a simple matter of writing aprocess ID to the appropriate cgroup.procs file in thecontrol-group filesystem hierarchy. That only works for processes thatactually exist, though. Adding the ability to place a new process into acontrol group at birth is the subject of thispatch set from Christian Brauner.

Michał Górny describesan effort to create something one might have never expected to see: abinary kernel package for the Gentoo distribution. "I have manuallyconfigured the kernels for my private systems long time ago. Today, Iwouldn’t really have bothered. In fact, I realized that for some time I’mreally hesitant to even upgrade them because of the effort needed to updateconfiguration. The worst part is, whenever a new kernel does not boot, Ihave to ask myself: is it a real bug, or is it my fault for configuring itwrong?"

Security updates have been issued by Debian (cyrus-imapd and gdk-pixbuf), Fedora (cacti, cacti-spine, and fribidi), Red Hat (fribidi, git, and openstack-keystone), Scientific Linux (fribidi), Slackware (wavpack), and SUSE (firefox, kernel, mariadb, spectre-meltdown-checker, and trousers).

Version3.11 of the lightweight Alpine Linux distribution is available.Changes include the 5.4 kernel, Raspberry Pi 4 support, GNOME and KDEsupport, and the deprecation of Python 2.

The Cloud Native Computing Foundation (CNCF) is part of the Linux Foundation that is focused on Kubernetes and other cloud technologies. It has announced that The Update Framework (TUF) has graduated to a full member project. "TUF, an open-source technology that secures software update systems, is the first specification and first security-focused project to graduate. Justin Cappos, associate professor of computer science and engineering at NYU Tandon School of Engineering, initially developed the project in 2009. Cappos is also the first academic researcher to lead a graduated project and TUF is the first project born out of a university to graduate.

Security updates have been issued by Arch Linux (git, libgit2, and shadow), Debian (debian-edu-config and python-django), Fedora (python-django), Mageia (apache-commons-beanutils, fence-agents, flightcrew, freerdp, htmldoc, libssh, pacemaker, rsyslog, samba, and sssd), Oracle (freetype and kernel), Scientific Linux (freetype and kernel), SUSE (firefox, spectre-meltdown-checker, thunderbird, xen, and zziplib), and Ubuntu (python-django).

The LWN.net Weekly Edition for December 19, 2019 is available.

2019 is coming to a close. It has been anotherbusy year with a lot going on in the Linux and free-software communities.Here at LWN, we have a longstanding tradition of looking back at the predictions made in January to see justhow badly we did; it's not good to go against tradition no matter howembarrassing the results might be, so we might as well get right into it.

Once upon a time, Linux was installed from a stack of floppydisks—thankfully cassette tape "drives" were long in the past at thatpoint—but floppies were superseded by optical media, first CDs and thenDVDs. These days, those options are starting to fade away in most newcomputer systems; just as it is now rather hard to find a floppy-based Linuxinstaller, not to mention the media and drives themselves, someday opticalmedia installation will disappear as well. For Fedora, that day has not trulyarrived, though a somewhat confusingly presented proposal on the Fedoradevel mailing list is, to a limited extent, a step in that direction.

Stable kernels 5.4.4, 5.3.17, 4.19.90, and 4.14.159 have been released. They all containimportant fixes and users should upgrade.Update: Stable kernels 5.4.5 and 5.3.18 have also been released. This is thelast 5.3.y kernel release and users should move to 5.4.y.

Security updates have been issued by Debian (debian-edu-config, harfbuzz, libvorbis, and python-ecdsa), Fedora (chromium, fribidi, libssh, and openslp), openSUSE (chromium), Oracle (grub2), Red Hat (rh-maven35-apache-commons-beanutils), SUSE (kernel, libssh, mariadb, samba, and xen), and Ubuntu (openjdk-8, openjdk-lts).

Programming languages generally have limits—explicit or implicit—on variousaspects of their operation. Things like the maximum length of anidentifier or the range of values that a variable can store are fairlyobvious examples, but there are others, many of which are unspecifiedby the language designers and come about from various implementations ofthe language. That ambiguity has consequences, so nailing down a widevariety of limits in Python is the target of an ongoing discussion on thepython-dev mailing list.

SpamAssassin 3.4.3 has been released. It includes a new plugin for findingmacros in Office documents, a couple of security fixes, and various otherimprovements. The project is also letting it be known that, due to thedropping of support for rulesets with SHA-1 signatures, versions ofSpamAssassin prior to 3.4.2 will no longer be able to download rule updatesas of the beginning of March.

Security updates have been issued by Debian (libssh, ruby2.3, and ruby2.5), Fedora (kernel and libgit2), openSUSE (chromium and libssh), Oracle (openslp), Red Hat (container-tools:1.0, container-tools:rhel8, freetype, kernel, and kpatch-patch), Scientific Linux (openslp), SUSE (git and LibreOffice), and Ubuntu (graphicsmagick).

XFS filesystem maintainer Darrick Wong summarizesthe significant XFS developments from the last year. "The year2038 poses a special problem for Linux -- any signed 32-bit seconds counterwill overflow back to 1901. Work is underway in the kernel to extend all ofthose counters to support 64-bit counters fully. In 2020, we will beginwork on extending XFS's metadata (primarily inode timestamps and quotaexpiration timer) to support timestamps out to the year 2486. It should bepossible to upgrade to existing V5 filesystems."

Stable kernels 5.4.3, 5.3.16, and 4.19.89 have been released. They all containimportant fixes throughout the tree and users should upgrade.

Security updates have been issued by Debian (davical, intel-microcode, libpgf, php-horde, spamassassin, spip, and thunderbird), Mageia (clementine, dnsmasq, git, jasper, kdelibs4, kernel, libcroco, libgit2, libvirt, ncurses, openafs, proftpd, qbittorrent, signing-party, squid, and wireshark), openSUSE (java-1_8_0-openjdk and postgresql), Oracle (kernel), Red Hat (chromium-browser and openslp), and SUSE (kernel, libssh, and xen).

The second 5.5 kernel prepatch is out."Things look normal - rc2 is usually fairly calm, and so it was thisweek too."

ZDNet reportson a police raid at the NGINX office. "Moscow police executed the raid after last week the Rambler Group filed a copyright violation against NGINX Inc., claiming full ownership of the NGINX web server code. The Rambler Group is the parent company of rambler.ru, one of Russia's biggest search engines and internet portals.According to copies of the search warrant posted on Twitter today, Ramblerclaims that Igor Sysoev developed NGINX while he was working as a systemadministrator for the company, hence they are the rightful owner of theproject."

The saga of get_user_pages() — and the problems it causes withinthe kernel — has been extensively chronicled here; see the LWN kernelindex for the full series. In short, get_user_pages() is usedto pin user-space pages in memory for some sort of manipulation outside ofthe owning process(es); that manipulation can sometimes surprise otherparts of the kernel that think they have exclusive rights to the pages inquestion. Thispatch series from John Hubbard does not solve all of the problems, butit does create some infrastructure that may make a solution easier to comeby.

Security updates have been issued by Fedora (knot-resolver and xen), openSUSE (kernel), and SUSE (haproxy, kernel, and openssl).

Linux offers two modes for file I/O: buffered and direct. Buffered I/Opasses through the kernel's page cache; it is relatively easy to use andcan yield significant performance benefits for data that is accessedmultiple times. Direct I/O, instead, goes straight between a user-spacebuffer and the storage device. It can be much faster for situations wherecaching by the operating system isn't necessary, but it is complex to useand contains traps for the unwary. Now, it seems, Jens Axboe has come upwith away to get many of the benefits of direct I/O with a lot less bother.

Security updates have been issued by CentOS (firefox and nss-softokn), Fedora (samba), Oracle (nss, nss-softokn, nss-util, nss-softokn, and thunderbird), Scientific Linux (thunderbird), SUSE (firefox), and Ubuntu (librabbitmq and samba).

The LWN.net Weekly Edition for December 12, 2019 is available.

An effort to protect package downloads from the PythonPackage Index (PyPI) has resulted in a Python Enhancement Proposal(PEP) and, perhaps belatedly, some discussion in the wider community. Thebasic idea is to use TheUpdate Framework (TUF) to protect PyPI users from some maliciousactors who are aiming to interfere with the installation and update ofPython modules. But the name of the PEP and its wording, coupled with some recent typosquatting problems on PyPI, causedsome confusion along the way. There are some competing interests anddifferent cultures coming together over this PEP; the process has not run assmoothly as anyone might want, though that seems to be resolving itself atthis point.

Security updates have been issued by Arch Linux (crypto++ and thunderbird), Debian (cacti, freeimage, git, and jackson-databind), Fedora (nss), openSUSE (clamav, dnsmasq, munge, opencv, permissions, and shadowsocks-libev), Red Hat (nss, nss-softokn, nss-util, rh-maven35-jackson-databind, and thunderbird), Scientific Linux (nss, nss-softokn, nss-util, nss-softokn, and thunderbird), SUSE (caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb, mariadb-connector-c, openstack-dashboard-theme-SUSE, openstack-heat-templates, openstack-neutron, openstack-nova, openstack-quickstart, patterns-cloud, python-oslo.messaging, python-oslo.utils, python-pysaml2, libssh, and strongswan), and Ubuntu (git, libpcap, libssh, and thunderbird).

The Electronic Frontier Foundation has posted a detailedstudy on third-party corporate surveillance on the Internet (andbeyond). "Both Google and Apple encourage developers to use ad IDsfor behavioral profiling in lieu of other identifiers like IMEI or phonenumber. Ostensibly, this gives users more control over how they aretracked, since users can reset their identifiers by hand if theychoose. However, in practice, even if a user goes to the trouble to resettheir ad ID, it’s very easy for trackers to identify them across resets byusing other identifiers, like IP address or in-app storage. Android’sdeveloper policy instructs trackers not to engage in such behavior, but theplatform has no technical safeguards to stop it. In February 2019, a studyfound that over 18,000 apps on the Play store were violating Google’spolicy."

A new mechanism to help thwart return-orientedprogramming (ROP) and similar attacks has recently been added to theOpenBSD kernel. It will block system calls that are not made via the Clibrary (libc) system-call wrappers. Instead of being able to stringtogether some "gadgets" that make a system call directly, an attacker wouldneed to be able to call the wrapper, which is normally at a randomized location.

The Kubernetes scheduler is being overhauled with a series of improvementsthat will introduce a new framework and enhanced capabilities that couldhelp cluster administrators to optimize performance andutilization. Abdullah Gharaibeh, co-chair of the Kubernetes schedulingspecial interest group (SIGScheduling), detailed what has been happening with thescheduler in recent releases and what's on the roadmapin a session at KubeCon + CloudNativeCon North America 2019.

The Git project has released Git v2.24.1, v2.23.1, v2.22.2, v2.21.1,v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, andv2.14.6. "These releases fix various security flaws, which allowed anattacker to overwrite arbitrary paths, remotely execute code, and/oroverwrite files in the .git/ directory etc." The release notescontained in this announcement have the details.

Google Open Source has announcedGoogle Summer of Code (GSoC) 2020, a program that introduces universitystudents to open-source development. "And the 'special sauce' that haskept this program thriving for 16 years: the mentorship aspect of theprogram. Participants gain invaluable experience working directly withmentors who are dedicated members of these open source communities; mentorshelp bring students into their communities while teaching them, guidingthem and helping them find their place in the world of open source."Applications for interested organizations open on January 14.

Security updates have been issued by Debian (firefox-esr, jruby, and squid3), Fedora (librabbitmq, libuv, and xpdf), openSUSE (calamares and opera), Oracle (kernel and nss), Red Hat (httpd24-httpd, kernel, kernel-alt, kpatch-patch, nss-softokn, sudo, and thunderbird), SUSE (apache2-mod_perl, java-1_8_0-openjdk, and postgresql), and Ubuntu (eglibc, firefox, and samba).

Daniel Vetter has posted asummary of his LPC talk on kernel graphics drivers."Unfortunately the business case for 'upstream first' on the kernelside is completely broken. Not for open source, and not for any fundamentalreasons, but simply because the kernel moves too slowly, is too big,drivers aren’t well contained enough and therefore customer will not oreven can not upgrade. For some hardware upstreaming early enough ispossible, but graphics simply moves too fast: By the time the upstreameddriver is actually in shipping distros, it’s already one hardwaregeneration behind. And missing almost a year of tuning and performanceimprovements. Worse it’s not just new hardware, but also GL and Vulkanversions that won’t work on older kernels due to missing features,fragmenting the ecosystem further."

By the end of the merge window, 12,632 non-merge changesets had beenpulled into the mainline repository for the 5.5 release. This is thus abusy development cycle — just like the cycles that preceded it. Just overhalf of those changesets were pulled after the writing of our first 5.5 merge-window summary. As isoften the case later in the merge window, many of those changes wererelatively boring fixes. There were still a number of interesting changes,though; read on for a summary of what happened in the second half of thismerge window.

Security updates have been issued by CentOS (SDL), Debian (htmldoc, librabbitmq, nss, openjdk-7, openslp-dfsg, and phpmyadmin), Fedora (chromium, community-mysql, kernel, libidn2, oniguruma, proftpd, and rabbitmq-server), Mageia (ansible, clamav, evince, firefox, graphicsmagick, icu, libcryptopp, libtasn1, libtiff, libvncserver, libvpx, lz4, nss, openexr, openjpeg2, openssl, phpmyadmin, python-psutil, python-twisted, QT, sdl2_image, SDL_image, sysstat, thunderbird, and tnef), Oracle (firefox), Red Hat (java-1.8.0-ibm and nss), Scientific Linux (firefox and kernel), SUSE (kernel), and Ubuntu (nss).

Linus has released the 5.5-rc1 kernelprepatch and closed the merge window for this development cycle. "Everything looks fairly regular - it's a tiny bit larger (in commitcounts) than the few last merge windows have been, but not biggerenough to really raise any eyebrows. And there's nothing particularlyodd in there either that I can think of: just a bit over half of thepatch is drivers, with the next big area being arch updates. Which ispretty much the rule for how things have been forever by now.Outside of that, the documentation and tooling (perf and selftests)updates stand out, but that's actually been a common pattern for awhile now too, so it's not really surprising either."

A "split lock" is a low-level memory-bus lock taken by the processor for a memoryrange that crosses a cache line. Most processors disallow split locks, butx86 implements them, Split locking may be convenient for developers, butit comes at a cost: a single split-locked instruction can occupy the memorybus for around 1,000 clock cycles. It is thus understandable that interestin eliminating split-lock operations is high. What is perhaps lessunderstandable is that a patch set intended to detect split locks has beenpending since (at least) May 2018, and it still is not poised to enter themainline.

William Tolley has disclosed a severe VPN-related problem in most currentsystems: "I am reporting a vulnerability that exists on most Linux distros, andother *nix operating systems which allows a network adjacent attackerto determine if another user is connected to a VPN, the virtual IPaddress they have been assigned by the VPN server, and whether or notthere is an active connection to a given website. Additionally, we areable to determine the exact seq and ack numbers by counting encryptedpackets and/or examining their size. This allows us to inject data intothe TCP stream and hijack connections." There are various partialmitigations available, but a full solution to the problem has not yet beenworked out. Most VPNs are vulnerable, but Tor evidently is not.

Security updates have been issued by Debian (libav), Fedora (kernel, libuv, and nodejs), Oracle (firefox), Red Hat (firefox and java-1.7.1-ibm), SUSE (clamav, cloud-init, dnsmasq, dpdk, ffmpeg, munge, opencv, and permissions), and Ubuntu (librabbitmq).

In November, the topic of init systems and, in particular, support forsystems other than systemd reappeared on theDebian mailing lists. After one month of sometimes fraught discussion,this issue has been brought to the project's developers to decide in theform of a general resolution (GR) — the first such since the project voted on the status ofdebian-private discussions in 2016. The issues under discussion arecomplex, so the result is one of the most complex ballots seen for sometime in Debian, with seven options to choose from.

Greg Kroah-Hartman has announced the release of the 5.4.2, 5.3.15,and 4.19.88 stable kernels. They contain arelatively large collection of important fixes throughout the tree; users of thosekernel series should upgrade.[Update: A bit later, the 4.14.158,4.9.206, and 4.4.206 stable kernels were also released.]

Security updates have been issued by Arch Linux (firefox), Fedora (cyrus-imapd, freeipa, haproxy, ImageMagick, python-pillow, rubygem-rmagick, sqlite, squid, and tnef), openSUSE (haproxy), Oracle (microcode_ctl), and Ubuntu (squid, squid3).

The LWN.net Weekly Edition for December 5, 2019 is available.