FOSS.IN has certainly changed a lot since I first attended in 2005, where there were several thousand delegates, an expansive talks programme, and a significant commercial presence with a dedicated trade hall. Since then, and particularly following this year’s omlette post, the organizers have been nudging the conference toward an increasingly technical and participatory event.

This year, somewhat following the example of the Plumbers Conference, the core of FOSS.IN became workout sessions, with fewer traditional conference talks. The aim, according to the organisers, is to provide Indian developers with access to a dedicated technical event similar to the experiences available to FOSS developers in North America and Europe.

Approximately a thousand delegates registered, although I’d estimate that there were typically around three to five hundred people present during the course of the conference. One of the organizers noted that in previous years, the crowd of delegates would change from day to day, reflecting each days programming, but that this year, the crowd was essentially the same throughout.

While there were several standalone talks, this was not an event aimed at a passive audience. From my observations, the main action was found in active participation in workout sessions, BoFs, and ad-hoc hacking gatherings. It seemed that wherever there was a power outlet, you’d find a small group of people gathered with laptops, working on something.

There was a major KDE presence at the conference, although most of my time was spent involved in kernel-related events. I heard that a KDE theme song was composed, performed and recorded at the conference, so I wonder if this may be the first FOSS conf to create and ship a conventional work of art.

Around two weeks before the conference started, the organizers allocated a day to a then yet-to-be-defined Linux Kernel Hacker Gathering, asking kernel folk to “organize something”. Several emails later, with a growing cc: list and finally a small mailing list set up by Harald, a basic outline was determined. A planning meeting was organized for the Monday before the conference at the IBM Bangalore campus. Details of the Kernel Workout were also finalized there.

The LKHG event started on Friday with a series of talks on various kernel topics by upstream developers, then opened up for a series of lightning talks from delegates, and finished with an open discussion. There weren’t as many lightning talks as were hoped for, which was not unreasonable given the excessively short lead-time for the CfP. For this to work better in the future, I’d suggest having a much longer lead-time, and more publicity aimed specifically at kernel developers working outside of the upstream process, to engage such folk with the wider community. There were still some very good discussions around the relatively few lightning talks, in any case.

The kernel workout session was then held the following and final day. It appeared to succeed beyond expectations, largely due to the planning which happened in the few available days beforehand. Getting the word out on the prerequisites was critical. In this case, to participate, you had to be ready to hit the ground running with an already checked-out source tree on your laptop, which you knew how to build and run. Following that, it was a matter of choosing something from the set of tasks selected by the organizers, and asking for help from mentors if needed. There was also a preparatory session before the workout for people to get set up, although I missed that as I was giving a different talk at the time. Many of the major upstream Indian kernel hackers were there as mentors, so it was definitely the place to be to really get into things.

The results of the workout have been published on the workout wiki. As of writing, several patches from the workout have now been accepted into the kernel. Some were already posted and receiving review before the end of the workout.

Earlier that day, I gave a talk on Fedora Kiosk Mode. It’s useful now to have a high-level application such as this to demonstrate an application of modern MAC security. Thus far, it’s been difficult to communicate the benefits of generalized MAC in theoretical terms. It’s clear from the example of Kiosk Mode that MAC does not need to be complicated if abstracted correctly, and that it can provide desirable and useful benefits to everyday users. There’s a lot more to come in this area, too.

A particular highlight of the conference was the closing keynote by Kalyan Varma, which turned out to be probably the best talk I’ve ever seen on any topic. I knew it was something to do with photography, but I had no idea what was in store: a linking of ideas as diverse as FOSS community principles; amusing security hacking demonstrations; photographing new species; having your work exhibited at the London School of Economics; working with the BBC and David Attenborough; getting a cheque from the makers of Snakes on a Plane for using one of your Creative Commons flickr photos; and what this all has to do with drinking tea and saving the environment. Harald has also written about the talk. I hope the video of the talk is published online soon, and I really wouldn’t be surprised to see Kalyan presenting it at TED.

Overall, I greatly enjoyed the conference, and feel that I’d generally prefer to attend these kinds of working conferences in the future. Given the overheads involved in travel (productivity hits in particular), the traditional “famous people get up and talk about how great they are” talk-based conferences are decreasingly compelling. It’s great to meet up with folk I’ve been working with online, but even greater to do so in the context of getting useful development-related tasks done.

A huge thanks to the team for letting me be part of this amazing event. There was certainly no shortage of challenges for them this year, and they ensured that everyone who put something into the conference got a lot more back out.

I’m on my way back from FOSS.IN, waiting for a connecting flight to Sydney in Singapore on a hearty three hours sleep.

Here’s a flickr photoset.

I ended up getting a photo of nearly every mainline kernel hacker from India (with the notable exception of Dipankar, who was on vacation).

The above is a shot from the Linux kernel workout session, which resulted in several useful improvements and bugfixes for the kernel, some of which are already making their way upstream.

More details on the conference later.

It’s the end of the first day of FOSS.IN/2008, with people at the speakers hotel continuing to hack on various projects late into the night (11:30pm at this stage).

I’ll provide more detailed observations on the conference after it’s over; for now, some information on the Linux Kernel Workout session scheduled for Saturday.

For people wishing to attend:

There’s now a wiki page for the workout, detailing tasks to be addressed, as well as prerequisites for participation. Please read and follow the latter. You will need a git checked-out kernel tree which has been configured and boot tested on your laptop. Don’t try and do this on the day, as there will not be enough time, nor enough wireless bandwidth.

You should probably also attend the Linux Kernel Hacker Gathering on the Friday, the schedule for which is being finalized, and will help prepare for the workout session.

Here’s Harald Welte from his GSM hacking workout session today. Note that he’s evolved to the stage where he simply emanates code. Either that, or he’s sitting in front of the projector.

I’m preparing to travel to Bangalore for FOSS.IN, which is happening next week from the 25th to the 29th of November.

It’s looking very much like the deeply developer-focused event the organizers were hoping for. On the schedule is a mix of technical talks and workout sessions. I’ll be involved in the Kernel Quality Improvement Workout headed up by Christoph Hellwig, as well as giving a talk on Fedora Kiosk Mode. This will be expanded a little on the talk I gave at FOSS.MY due to extra time available.

I was going to talk about sVirt at the planned Fudcon, but the Fudcon was unfortunately cancelled. Fedora folk will still be there, though, and if anyone wants to talk about sVirt and get involved in some really cool and innovative hacking, catch up with me.

The main hall has been set aside for an entire day to host a Linux Kernel Hacker Gathering (LKHG), with sessions on Filesystems, Tracing, Power Management and Porting. It seems that this will be something like an open mini kernel summit, with participants to include Suparna Bhattacharya, Ananth N Mavinakayanahalli, Christoph Hellwig, Aneesh Kumar K V, Balbir Singh, Srikanth Srinivasan, Harald Welte, Srivatsa Vaddagiri, Amit Shah, myself, and Dipankar Sarma.

The final slot will be open for lightning talks from the audience, with the kernel hacker panel providing feedback, followed by an open Q&A session. This is somewhat based on the format of the LF symposium BoF day, and will be a great opportunity for people working on kernel projects to bounce their ideas off upstream kernel hackers. This includes people working on drivers and various kernel projects which are not currently upstream (i.e. work projects), who would like to get some advice on how to get their project upstreamed and how to work more effectively with the community.

A CfP will go out for the lightning talks soon, so if you want to participate, keep an eye out for that.

The organizers have made a video to promote and explain the conference:

http://www.youtube.com/watch?v=sfx8upiFlbY

And yes, you can hack on the roof of the building, or even hold talks: there’s an outdoor auditorium up there.

Currently, there’s over 900 delegates registered, which is a lot for a developer conference. (Linux Plumbers had 300, IIRC).

I think this promotional banner sums up my experience so far:

Not your typical Linux conference, by any means.

I’m on my way back to Sydney from Kuala Lumpur, following FOSS.my, Malaysia’s first major grassroots FOSS conference. Amazingly, Colin Charles and the team managed to organize the event from scratch in six weeks, attracting two full days worth of regional and local speakers.

If ever a whiteboard needed a “do not erase” sign, this would be it.

Based loosely on the formats of similar conferences in India and Australia, this first effort for SE Asia seems to be off to a great start, and I think we can expect an expanded event next year. The keynotes were all very interesting, and I especially appreciated being able to learn about all the various FOSS issues and efforts in Malaysia.

Several side-sessions ran in parallel with the main talks, where rooms were provided for projects including Ubuntu, Fedora and FOSSChix.my, the latter featuring sessions led by Pia Waugh and Pamela Fox. There were quite a lot of lightning talks, which I think were probably the most fun to attend, perhaps apart from the speakers dinner in the nightclub area of KL.

FOSSChix.my side session.Jaya Kumar closed out the conference with a thought-provoking keynote, covering some issues he’s faced in his local community, and reminding us to ensure that we need to be vigilant in confronting instances of prejudice in all of our online communities.

The hallway track, five stories up.I gave a talk on the Anatomy of Fedora Kiosk Mode, the slides of which can be downloaded here. There’s also more photos.

It was great meeting everyone, and I hope to be back again next year.

Recently, I’ve been busy getting the initial cut of sVirt out, and am currently processing community feedback before issuing an update. The basic idea behind sVirt is to apply MAC label security (SELinux, Smack etc.) to Linux-based virtualization schemes such as KVM, allowing the existing OS-level security mechanisms to be re-used for process-based VMs. This is an application one of the core advantages of Linux-based virtualization, where generally, all of the Linux process management infrastructure within the kernel and wider OS may be applied to domains which run inside Linux processes. So, for MAC label security in this case, we don’t need to do anything in terms of modifying kernel security mechanisms, and simply modify security policy as desired. We can focus on developing the appropriate high-level abstractions (e.g. management tool support) rather than developing a new security mechanism.

How can this be useful? In the simplest case, we can increase isolation between virtual machines by assigning them different security labels, and enforcing a MAC policy which prevents them from interacting. This helps ameliorate the increased risk arising from running domains on the same hardware where previously they may have been physically separated on different machines. This is just a start. There are plenty of interesting things which can be done once the core functionality is in place, although the initial idea is to simply provide stronger isolation to better protect domains from each other.

At an architectural level, security labeling support is being added to libvirt, a virtualization API which abstracts various aspects of virtualization including different hypervisor types, storage, networking, and with sVirt: MAC security. With sVirt integrated at the API level, security labeling support can be integrated into high-level tools via standardized and flexible abstractions. For example, when creating a new domain, the graphical virt-manager tool may include a checkbox to designate the domain as “isolated”—or perhaps just do it by default for true zeroconf.

I’ll be introducing sVirt more completely at LCA next January, so if you’re marching south and have interests in both security and virtualization, it might be worth popping in. I’m up against Tridge in the timeslot, so it might be an intimate session.

Next week, I’ll be giving a talk on Fedora Kiosk Mode at Malaysia’s inaugural developer conference, FOSS.MY. Kiosk Mode is another high-level MAC security application, where anonymous users can safely access desktop sessions and browse the internet. If you have the xguest package installed, it Just Works, as people are starting to notice.

I’ve been shortlisted on the same topic at the revamped FOSS.IN a few weeks later. There’s also been some discussion of a kernel development workout session, in which I’d love to participate, although it’s not yet short-listed. There’s also the FUDCon attached to FOSS.IN. We’re hoping to have a Fedora box there running Kiosk Mode for people to play with.

Here’s an update on the main functional changes in security for the recently released 2.6.27 kernel.

• SELinux deferred mapping of filesystem contexts
  This patch by Stephen Smalley addresses the case where “alien” SELinux security labels need to be written to the local filesystem, for example, in the case of building RPMs where the local policy is different to the policy on the system where the RPM is to be installed. This will help with enabling SELinux on build systems (e.g. in the Fedora infrastructure) and more generally with packagers and ISVs shipping third party policy with RPMS.

  The way this works is to allow locally invalid labels to be written to disk by certain users (namely, those with the standard CAP_MAC_ADMIN capability and the mac_admin SELinux permission). For security purposes the system will treat those files as if they were not labeled, which means that no normal application will be able to interact with them. A further patch was added to allow administrators to view the alien labels.

• Show LSM mount options in /proc/mounts
  SELinux has several filesystem mount options specific to its security model, such as the ability to set security labels on a per-mount basis. This is useful for filesystems which do not have support for security labeling.

  These options were not being displayed in /proc/mounts, and Eric Paris wrote a patch which provides a general solution to this for all LSM modules with a new sb_show_options hook.

• Split proc ptrace checking into read vs. attach
  With this patch from Stephen Smalley, the core ptrace permission code was split so that read-only access to process state could be differentiated from access requiring full control of the process. Several applications such as lsof need to do things like read the memory state of a process, but nothing else, so, it is now possible to allow that without also allowing general ptrace access.

  The LSM ptrace hook is now passed a flag, either PTRACE_MODE_READ or PTRACE_MODE_ATTACH, to allow the security modules to differentiate access in policy, if desired.

• Removal of LSM dummy module
  Ever since the introduction of LSM, a ‘dummy’ module has always been the default when LSM was built but not configured with a specific security model. This has never been a good default, as people almost certainly need the capability module.

  Miklos Szeredi supplied a patch to remove the dummy module and ensure that the capability module is always compiled in as the default. With the capability code always compiled in, LSM was then further simplified to remove the secondary module stacking code. This was previously used by LSMs such as SELinux to dynamically stack capabilities, and now that it is known that capabilities is always there, this stacking can be performed by simply calling directly into the capability module.

• Protect legacy applications from executing with insufficient privilege
  Andrew Morgan authored a patch to ensure that certain applications which are not granted all of the privileges they request or expect have their execution failed with EPERM. The counter-intuitiveness of this should be a hint as to the overall complexity and subtlety of OS security. The full background to this change is documented in this sendmail capabilities war story. If your brain doesn’t explode when you read that, there is something wrong with you and you should probably be working in computer security, if not already.

  Filesystem capabilities were also promoted from experimental status in the kernel configuration to a standard option, and are indeed now enabled by default on at least one distribution (Fedora 10 development).

• Fix setting of PF_SUPERPRIV by __capable()
  David Howells fixed a long standing bug in the capability code, where the PF_SUPERPRIV flag could have been set inappropriately on processes which were being probed for a privilege rather than actually using the privilege. This flag is set on a process when it exercises privilege (e.g. via capabilities), and may be later used for process accounting purposes. David’s patch fixed the problem by cleanly demarcating the probing of capabilities vs. using them, resulting in a nice general code cleanup.

Upcoming changes

There’s quite a lot coming up in security for the next couple of kernels, with major changes including David Howells’ epic credentials API rewrite (which touches pretty much everything and is thus moving very slowly upstream), the Integrity framework and IMA from Mimi Zohar et al, and Trusted Boot (TXT) from Intel. It’s not clear whether these will make the current merge window for 2.6.28, although some preparatory patches are already merged. Paul Moore has been doing a lot of work on labeled networking, which is maturing in terms of government/military requirements, and should also provide some very interesting functionality for general users down the track. There’s been an updated code drop for Labeled NFS, although I’ve not yet had a chance to give it a detailed review (things get busy upstream when you combine KS/LPC and a kernel release). There are also possible merges of TOMOYO and AppArmor if the VFS pathname issue is resolved.

It seems that foss.in this year is undertaking a major change in its focus—away from the traditional general conference and toward a developer-oriented working event.

Atul Chitnis today posted a detailed rationale, which has also been summarized by Sankarshan. It seems that inspiration was drawn from the recent Plumbers Conf, and also the strong desire to foster actual FOSS development in India.

A FUDCon is being held in conjunction with foss.in, which should also help attract developers. It’s the closest upcoming FUDCon to me in geographic terms, and I’m working on attending for that at least.

From discussion with some of the folk involved in the wider event, it seems that many fine details are yet to be worked out, and while the emphasis is very much on Indian developers, I’d suggest that international developers who’ve been considering submitting a proposal this year definitely still do so.

Today was the last day of the Linux Plumbers Conference, which overall seems to have gone really well. Certainly it exceeded my expectations, which were already pretty high. In my view, the conference was distinctive in that it was totally developer-focused and collaborative, with no thinly-disguised marketing talks.

The atmosphere was relaxed, and not overly structured, which allowed for a lot of useful ad-hoc discussions between developers working in different areas of the OS. An example was Arjan’s talk on achieving a five-second boot, which itself was very interesting and entertaining, but was also followed by a lunch session with a bunch of distro maintainers to work out various specifics. It seems that a small arms race has been launched between Fedora & Ubuntu on who can first get the default install to a five second boot.

I was interested to catch up on the latest file system developments, and caught the updates on btrfs and crfs by their respective authors, Chris Mason & Zach Brown. The disk format for btrfs will be locked in before the end of the year, according to Chris, to encourage more developers and users to start playing with it. crfs is looking increasingly impressive as a small-scale, fast, reliable and sane networked file system: I grabbed a photo of the slide comparing it with other network filesystems:

Other photos I took at the conference are here.

It was really great to catch up with so many people I work with over the net, and also finally meeting some people I must have known for more than a decade but still never met in person — possibly due to this being the first Linux conference I’ve attended in the US.

During the closing, Kristen Accardi did a brief survey on several aspects of the conference, and it seems that virtually everyone was happy with it. I think the conference has a bright future, as it seems to have filled a now obvious need for a place where a cross-section of mainline Linux developers can meet up specifically to solve problems.

It turns out I was able to make it to Linux Plumbers Conference, after another last minute change of circumstances, and I’m in fact in Portland.