I’d like to say, somewhat for the sake of the OpenSolaris folk who are currently having a bit of a rough time, that I personally strongly disagree with certain statements coming out of the Linux Foundation, such as those claiming that the “L in LAMP is literal”. ^[1]

Of course, LAMP has long been representative of the concept of a free software stack. The term itself has been tremendously useful as a means to identify an open approach to developing and deploying systems. The L does of course not have to mean Linux any more than the P needs to mean PHP or Perl. Aside from OpenSolaris, there are many good choices for operating systems in an open stack, such as OpenBSD.

While LF is an industry consortium representing several companies and organizations with various interests in Linux, it certainly does not generally represent the Linux community.

As a Linux developer, I’d like to continue to extend support and encouragement to OpenSolaris developers.

I believe that such attacks on other open projects serve to damage the general interests of FOSS. Interestingly, LF has granted itself authority to respond to “competitors’ attacks” ^[2], a role which is surely undermined by themselves undertaking such attacks, especially on emerging FOSS projects.

References:

[1] http://www.linux-foundation.org/weblogs/amanda/2008/02/17/hey-jonathan-the-l-in-lamp-is-literal/
[2] http://www.linux-foundation.org/en/About

Rafal Wojtczuk of McAfee Avert Labs posted an interesting analysis of the “qaaz” exploit for the recent vmsplice vulnerabilities.

Since 2.6.23, it has been possible to prevent applications from mapping low pages (to prevent null pointer dereferencing in the kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the minimum address allowed for such mappings.

So, if you have a recent kernel still affected by the vmsplice issue, try:

echo 65536 > /proc/sys/vm/mmap_min_addr

(If it is not already set, of course).

If using SELinux, the system must be running in enforcing mode.

Note that there was a bug in the mmap_min_addr code until 2.6.24-rc5, although I do not believe it affects mitigation of this particular exploit.

Generally, it is a good idea to have mmap_min_addr set, although it is disabled by default in the upstream kernel as it can affect a some applications (e.g. users of vm86 mode such as X).

As SELinux is able to selectively enforce the setting via policy, it can be enabled for the general case on recent SELinux systems. If not using SELinux, processes with CAP_SYS_RAWIO are allowed to bypass the setting.

Serge Hallyn of IBM and general kernel hacking fame has written a great article on Role-based access control (RBAC) in SELinux.

The article is also something of a tutorial, implementing a security scheme for a simple store cash register system, with downloads available for a Gentoo-based SELinux from Scratch qemu image; and for standard Fedora 8 systems.

It’s great to see these kinds of projects coming from the community!

Fedora 8 now has support for Dan Walsh’s SELinux kiosk mode, or xguest, which he has previously described in some detail.

The good news is that it’s utterly simple to use:

1. Upgrade to the very latest Fedora 8 — simply ensure you have run:

   # yum update

2. Install the xguest package and necessary dependencies:

   # yum install xguest

3. Ensure you’re running SELinux in enforcing mode:

   # getenforce
   Enforcing

4. Log out from X, and you should see a new “X Guest User” user in the GDM welcome screen:
   

5. Click on the X Guest User account, and you will be logged straight into a GNOME session.

The GNOME session will run as a very tightly locked down SELinux account, which can only be accessed via GDM. It is essentially authorized only to surf the web.

PAM namespace is utilized so that the session has private views of shared writable filesystem space (e.g. /tmp), while Sabayon is used to load a custom GNOME configuration.

Any local changes made by the user, such as writes to $home or their desktop settings will be lost after they log out.

Thomas Mraz’s PAM SELinux permit package ensures that the xguest account is only active in enforcing mode, to ensure the account cannot be used to attack the system if it is in permissive mode.

Further technical detail may be found in the package’s README file.

Where would you use this? Dan has found it useful for family members with various levels of computer skill, while I can imagine that xguest would also be quite handy for things like LUG events, conference booths, training, Linux demonstrations, information kiosks etc.

If you come up with any cool uses, or enhancements, please let us know.

Enjoy!

According to Red Hat Security Advisory RHSA-2008-0002, a recently discovered stack overflow flaw in OpenPegasus is mitigated by standard SELinux targeted policy in RHEL4 and RHEL5:

… an unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003)

Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux.

The enhanced memory protection tests in RHEL5 contribute here to mitigation.

On a related note, Mark Cox has just published an updated grid of vulnerability and threat mitigation features in RHEL and Fedora. Fedora 8, being the most recent distro listed, has the greatest number of these features.

Btw, for those able to attend FUDCon in Raleigh over the weekend, there will be a few SELinux folk around to answer questions, listen to feedback etc.

Update:
Someone asked for more Fedora-specific information to compare with other distributions. Here’s a well-maintained page on Fedora Security Features.

I missed this one at the time, but a member of the Red Hat security response team just pointed me at this RHEL advisory from October, where a vulnerability in HPLIP was mitigated by standard targeted policy.

That is, SELinux provided zero-day protection against local users exploiting this vulnerability to run arbitrary code as root.

Previously:

• Mambo exploit blocked by SELinux
• SELinux constrains Samba vulnerability

I’m finally back from FOSS.IN/2007, although my body clock seems to be lost somewhere in the Arabian Sea.

The push to make the conference more contributor-focused seemed to work very well.

The final talk slot, which was given to Rusty on short notice, included an invitation for FOSS developers to come down and stand on the stage. First, people who had contributed code to a project — way more people than anyone expected — stood up and came down. Then, progressively, people who’d submitted a bug report, or written documentation, or helped others, and finally, anyone who’d used FOSS. Here’s what it looked like:

Photo by Jim Grisanzio

Members of the then non-audience passed the microphone around for some ad-hoc lightning talks on what they were doing.

Following that, Atul spoke about the future of FOSS contribution in India, explaining that FOSS.IN would not move around the country, as it is preferred that each region develop their own event. Organizers of other Indian FOSS conferences provided brief overviews of each, including the entirely student-run FOSS Meet@NITC in Calicut.

It was a great ending to a great conference, and overall, simply refreshing to see so much grassroots activity.

An older attendee wrote a nice email to the conference mailing list with some interesting observations, such as “You are prime-movers of modern India” and “Some had weird hairstyles”. Indeed, as has been noted by others, including Simon Phipps, there’s an intense enthusiasm for technology in India which I’ve not seen elsewhere.

I really would not be surprised, within ten years, to see India become the top FOSS contributing country.

As a foreign speaker, I found the conference to be a great opportunity to spread knowledge in a direct way — beyond what is possible via code, documentation, blogging etc. — and can highly recommend it to others. Rusty had fun, although he definitely under-assessed his final talk.

If you’ve ever wondered what it’s like to return from your morning coffee run to be serenaded by a Nadaswaram, “the world’s loudest non-brass acoustic instrument”, here’s a video starring Andrew Cowie, Spot Calloway and the omnipresent Rusty as part of the audience.

I’ve now completed my talks at FOSS.IN, and posted the slides online (they’ll also be available from the conference site soon).

• How and Why You Should Become a Kernel Hacker (PDF)
• The State of Security Enhanced Linux – (PDF)

Both talks were well attended — I think about 500 for the kernel talk, and 100 for the SELinux talk, with lots of good questions and post-talk hallway discussions.

I’ve started uploading a conference photo set here. Expect to see more soon. You can find many photos by others by searching flickr for the tag “fossin2007”.

e.g. http://flickr.com/search/?q=fossin2007&w=all

Jet lag is fun, as always — I didn’t think it’d be so bad traveling from Sydney instead of Boston, but it’s possibly worse. Thankfully, there is no shortage of strong coffee in Bangalore.

The FOSS.IN project days have commenced, ahead of the main conference. It’s great to be back in India, and to meet up with everyone again.

Rusty and I were walking around Bangalore yesterday, and encountered a family of monkeys crossing the road.

(video in case the embedding doesn’t work…)