Monthly Archives: March 2009

Security subsystem changes in the 2.6.29 kernel

Here’s an update on some of the main changes to the security subsystem in the 2.6.29 kernel.

Most of the changes for this kernel relate to infrastructure work and maintenance:

  • Task Credentials API
    This is a rewrite of the kernel mechanism for managing per-task credentials. David Howells has been working on this for quite some time, significantly in support of his FS-Cache work, which will provide a generalized local caching mechanism for networked filesystems (AFS, NFS, CIFS etc.). There’s a very nice write-up of the new credentials code at LWN.
  • Pathname hooks for LSM
    Kentaro Takeda of the TOMOYO project submitted this patch via Al Viro, to provide basic support for pathname-based security schemes.
  • Smack support for unlabeled network hosts and networks
    The Smack LSM now allows normal, unlabeled network traffic, although somewhat grudgingly. Paul Moore notes that this is currently buggy for TCP, but that a fix is forthcoming.

There were also numerous smaller bugfixes and enhancements: for further details, see the KernelNewbies summary.

The TOMOYO code will be first to utilize the LSM pathname hooks mentioned above: it’s currently queued for Linus in the 2.6.30 merge window. Also queued for merge is the Integrity Measurement Architecture (IMA) code from IBM.


Also, a reminder to people submitting security subsystem patches: please generate them relative to the ‘next’ branch of the security testing tree:


and please CC’ the LSM list on any security-related discussions. Thanks.

sVirt merged into upstream libvirt

The sVirt code has now been merged into the upstream libvirt repository (git mirror). Thanks to Dan Walsh for taking on the remaining userspace development, and Daniel Berrange and the rest of the libvirt folk involved for reviewing and improving the code.

While we’ll be focusing on the SELinux driver for sVirt, a really useful and cool project for someone interested in security and virtualization would be to develop a SMACK driver.