Category Archives: Linux

Portland Roundup

Last week was a busy one in Portland, starting with the SELinux Developer Summit on Sunday the 20th, followed by LinuxCon proper, and the Linux Plumbers Conference.

The SELinux event went very smoothly, with around twenty-five attendees from the core SELinux developer community.  Given tight travel budgets all-round, this level of attendance was very good to see.  I’d like to thank Angela Brown, Craig Ross and the rest of the Linux Foundation team for making everything work perfectly for us (this was a co-located event ahead of LinuxCon).

The day was divided into two sessions: standard presentations in the morning, followed by a more open general session in the afternoon.  It was good to catch up on the latest development work and directions in the project, and also to bring the otherwise globally distributed team together in the same place.

SELinux Developer Summit Lunch Track

SELinux Developer Summit Lunch Track

The inaugural LinuxCon then ran for three days, with an expansive programme.  I gave a talk on adding extended attribute support to Linux NFSv3 — the slides for which may be downloaded as PDF or viewed on slideshare.  I completed the initial code on the flight to the US and posted it from the hotel.  Feedback so far has been positive, although I haven’t heard from the NFS maintainers yet (who are likely busy with the merge window).  The rationale and technical approach is similar the NFSv3 ACL support which was merged some time ago; and the implementation is based on a fielded IRIX version (released under the GPL) — both factors which I hope will help with upstream acceptance.

Also at LinuxCon: Dan Walsh gave a talk on sVirt, which I introduced earlier this year at LCA (and previewed of during a lightning talk last year at FOSS.MY).  It seems to have been well-received (see LWN coverage), and it’s a good example of the high-level security abstractions which we can build once we have the underlying mechanisms in place.  In the case of sVirt, where we apply strong mandatory isolation to process-based virtualization (e.g. SELinux+KVM), there is zero configuration — it configures itself automatically depending on which security model you have enabled.  It should work with any label security scheme, such as Smack, and I’ve also heard that the AppArmor folk have it working (even though sVirt was not explicitly designed for pathname security).

Only in Oregon - Voodoo Donuts

Only in Oregon - Voodoo Donuts

Dan gave a LinuxCon lightning talk at Linux on yet another high-level security feature: Sandbox X, which extends the SELinux sandbox mechanism to the desktop by running applications in isolated X servers via Xephyr.  He gave a full talk on this the Linux Plumbers Conference, slides of which may be found here.

Dan Walsh - SELinux Sandbox

Dan Walsh - SELinux Sandbox

I don’t have the time to cover everything at LinuxCon — check the web site for videos and slides.  Also see my flickr photo set.  It was a very impressive first conference, with LCA-quality social events and catering (Angela Brown has been quietly studying LCA, in fact) and certainly sets a new standard for such events in North America.  LinuxCon will be held in Boston next year — I wonder what they’ll come up with to beat bacon-maple donuts for breakfast.

Following LinuxCon, the second Linux Plumbers Conference was held, and we were fortunate to get a double session for the security microconf (a special thanks to Nivedita Singhvi and team for making this possible).  We had talks on several Linux security projects, including Herbert Xu with an update on the kernel crypto API, Caleb Case on SELinux in Ubuntu, David Safford on IMA, and Casey Schaufler on the Smack application ecosystem (some high-end televisions will soon be shipping with Smack, to isolate the applications of competing content providers).

The XACE talk was very interesting, as we’re getting close to having workable support for MAC security inside X, which will allow the desktop to be locked down with fine-grained and comprehensive controls.  While typically envisaged for MLS use (e.g. having “secret” and “unclassified” desktop applications running on the same system), there are also many general purpose scenarios, such as separating your online banking session from your IRC chats.  It will be interesting to see what’s possible when combining XACE window labeling with Sandbox X — stay tuned.

XACE and AVC Cow - The future of the secure desktop

XACE and AVC Cow - The future of the secure desktop

Slides from the LPC microconf will be at the event web site soon, and I’ve also made all them available for download here.

It was a fairly intense week — three conferences plus the travel to and from Sydney, as well as the merge window opening a few days before.  I’ve got a few weeks to recover and then it’s Japan for the Kernel Summit and Japan Linux Symposium, stopping in Kuala Lumpur on the way back for FOSS.MY (where I’ll be covering the latest in SELinux Sandboxing).

**

Note that you can now follow my micro-updates on twitter, which is bridged from my identi.ca account.

2009 SELinux Developer Summit schedule published

We’ve just published the schedule for this year’s SELinux Developer Summit.

From the announcement:

This year's event will be divided into two main sessions.

The first will be for traditional conference presentations which
were accepted via the CfP:

  * Labeled NFS Community Involvement - Dave Quigley (NSA)
  * Update on Flask/TE Support for X - Eamon Walsh (NSA)
  * Work on a Higher-Level Policy Language - James Carter (NSA)
  * Video Streaming in Policy Confined Environments - Philip Tricca (USAF)
  * A New Policy Infrastructure for SELinux Joshua Brindle (Tresys)
  * Policy Distribution Joshua Brindle (Tresys)
  * Refpolicy and Userspace Joshua Brindle (Tresys)
  * Analysis of Flask Policies in VM Systems Trent Jaeger (PSU) 

Aside from Josh's talks (which are combined into one 60-minute slot),
these are 30-minute slots.  For speakers, the recommended format is
20-minutes of presenting and 10-minutes of Q&A.

The second main session, after lunch, is intended to be fully
collaborative in that everyone in attendance may (and should) participate.
This is divided into three sections:

  * Lightning talks, 5 minutes each.  Any attendee may propose a lightning
    talk via the wiki or on the day.

  * Development sessions.  This is a flexible format where developers can
    work in small self-organized groups on specific tasks, taking
    advantage of the fact that we're all in the same place for the day.
    We'll discuss this further on the event mailing list -- it's important
    to identify tasks, teams and goals beforehand, and also to make sure
    everyone is set up to get straight to work on the day.

  * General project discussion.  We'll spend about an hour discussing
    project and development issues.  Candidate agenda items should
    first be posted to the event mailing list, and the agenda will be
    finalized immediately prior to the event.

For attendees who are yet to do so, ensure you are registered for
LinuxCon, which is co-hosting the event for us:

http://events.linuxfoundation.org/events/linuxcon

LinuxCon registration is a requirement for attending the SELinux Developer
Summit.  The current discounted registration rate ends on August 15th.

The development sessions idea comes from last year’s development-oriented FOSS.IN, which I wrote about here.

If you’re still considering whether to attend the SELinux Developer Summit, keep in mind that in addition to being part of LinuxCon, there’s also Linux Plumbers directly following that at the same venue, which includes a general Linux security microconf.  Travel budgets are tight for everyone this year, so hopefully the co-location of these events will help make a business case for people who are still working on travel approval.

For those who can’t make it, we’ll try and ensure that all available materials and minutes from the event are published in a timely manner.   I’d encourage those who are able to attend to blog/dent/tweet anything related to the event that they feel might be useful to others.

KCA slides, photos and videos

I was in Brisbane last week to talk about Linux Kernel Security at Kernel Conference Australia (KCA).

The aims of the talk were to provide a general overview of security features in the Linux kernel, and to examine historical context around Unix security and how Linux is evolving to address modern security requirements.

People may be interested in my slides. They’re available as a PDF download and via Slideshare. Note that full speaker notes are included in the slides, in the second half of the deck.

The conference was streamed live online, and the video from my talk may be viewed here. I’m watching to see how the talk, and my speaking in general, might be improved. As painful as this may be, it seems very effective in understanding what worked and what didn’t. I think I can tighten this talk up for possible future use, and focus more on how our development process—not merely the technology—helps address evolving security requirements.

I later participated in an OS security panel with Cristina Cifuentes and Fernando Gont, the video of which is also online.

I’ve also uploaded a flickr photo set. Brisbane is a great location for a conference, especially in the southern hemisphere winter.

It was unusual being the only Linux speaker at a conference. I hope the talk was useful, if at least to encourage more thinking about security in operating systems.

The primary organizer of KCA, James MacPherson, has posted an initial wrap-up of the conference. If the conference continues—I hope it does; it has a lot of potential for the Australian kernel R&D community—I think it would be highly advantageous to more actively seek speakers (and even organizers), from the broader community. One major local Linux kernel developer had a Linux kernel video talk rejected, which seemed odd given that similar talks were accepted (e.g. the new OpenSolaris sound system), and that an additional OpenSolaris talk was added to the program after the CfP closed.

I understand that organizing conferences is difficult, so I hope this is taken as constructive feedback. I’d certainly be interested in helping review papers or otherwise help out in the future if the conference is held again, and if it is aimed at the broader community.

A brief note on the 2.6.30 kernel null pointer vulnerability

This is just to note that the Red Hat Security Response team have issued a preliminary comment on the 2.6.30 kernel null pointer vulnerability, as a comment in the associated bugzilla entry:

From Eugene Teo (Security Response Team)  2009-07-17 07:23:57 EDT

The Red Hat Security Response Team is aware of the Linux kernel local privilege
escalation exploit that is published in a number of security mailing lists and
websites. The flaw identified by CVE-2009-1897 is a null pointer dereference
vulnerability in the tun_chr_poll() function of the Linux kernel, introduced
via the upstream git commit 33dccbb0. This flaw affects kernel versions between
2.6.30-rc1 and 2.6.30-rc3 2.6.31-rc3 , and was addressed via the upstream
git commit 3c8a9c63.

The flaw affects only the Red Hat Enterprise Linux 5.4 beta kernel as the
upstream git commit 33dccbb0 was backported to the kernel as a normal bug fix.
We will be addressing this flaw in a future update to the beta kernel. It is
also possible to mitigate this flaw by ensuring that the permissions for
/dev/net/tun is restricted to root only.

The default SELinux policy, in Red Hat Enterprise Linux 5, allows processes in
the unconfined domains to map low memory in the kernel. The exploit did not
bypass the null pointer dereference protection in the Linux kernel. However, we
are updating the selinux-policy package to change this default configuration,
so that it prevents the unconfined processes from being able to map the low
memory. See bug 511143 for more information.

This issue does not affect any other released kernel in any Red Hat product.

In addition, future updates to Red Hat Enterprise Linux kernels may include the
'-fno-delete-null-pointer-checks' gcc CFLAGS. See:
http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf

We would like to thank Brad Spengler for bringing these issues to our
attention.

Note that I’m not a member of the security response team: I’m cc’d on the bug and noticed the statement when it was posted.

It is also worth highlighting that you should ensure that the permissions on

/dev/net/tun

are correct.  It should look like this:


# ls -l /dev/net/tun
crw------- 1 root root 10, 200 2009-07-07 09:52 /dev/net/tun

It’s possible that some VPN package may change the permissions on this.

In terms of the SELinux aspect of the exploit, I’ve posted a brief comment in the LWN thread here.

Yes, there was a mistake in the SELinux policy, which allowed the unconfined user to bypass the mmap_min_addr check, which otherwise would have been enforced if the check was enabled (many disable it to get wine etc. working, btw, google disable mmap_min_addr).

This is being fixed in the policy.

The lesson learned here is that more careful review of policy changes needs to happen, and to ask the question as to whether the policy is capable of weakening default security.

The LSM interface is theoretically designed to only allow further restriction of access, but this is a special case, where we are applying policy to a kernel compilation option which can also have its value set via a sysctl. It’s not a typical “access this resource or not?” decision.

The policy bug is now fixed in the selinux-policy-2.4.6-252.el5 package.

The challenge now is to try and ensure that we don’t see this class of problem crop up again, for unusual cases such as this where the normally “restrictive” mode of LSM (i.e. where permissions can only be further restricted) does not apply.  We may need to rethink how this is managed in the kernel to reduce the possibility of such issues in LSM module policy, as the LSM API here appears to be violating the Hard to Misuse design principle.

FOSS.MY 2009 CFP Open

Kuala Lumpur

Kuala Lumpur

I just noticed that the Call for Participation for FOSS.my 2009 is now open, until August 15th.  I spoke at the inaugural event last year, and had a great time.  Held in Malaysia, this is a true grass-roots conference.  It’s modelled somewhat on other community events such as LCA and FOSS.IN, and probably the leading such event for Southeast Asia.

The conference will be held on the weekend of the 24th and 25th of October, immediately following the Japan Linux Symposium and the Kernel Summit.  If you’re visiting the region for either of the Tokyo events, Malaysia is relatively close-by, and there are several good budget airlines in the region.  I’d highly recommend submitting a proposal or simply attending.

Kuala Lumpur is certainly a great city to visit, too.

All my talk slides are now on Slideshare

I’ve uploaded the slides from essentially all of the talks I’ve given to Slideshare. This is likely more useful than my previous strategy of dumping them in a directory and leaving the rest up to search engine bots.

Click here for the full list of slides. They are all published under the Creative Commons attribution share-alike license.

One interesting slide title, which I’d forgotten about, is Kernel Security for 2.8, from the 2004 Kernel Summit. This was from when we were still expecting a 2.7 development kernel leading to a 2.8 stable kernel — I think Linus announced the change in development model at that summit.

Included in this set of slides are several introductory and deeper technical overviews of SELinux; I hope they are useful for people who are looking for information for themselves, or if making their own slides. As the license suggests, please feel free to copy and extend them (but note that the older ones are going to be more out of date).

SELinux for Humans

I mean, SLUGs…

Paul Wayper gave a couple of talks on SELinux at this weeks’ SLUG meeting, and includes links to a couple of very useful slide decks:

The sysadmin slides look particularly useful, as they focus on solving common issues such as running FTP/SAMBA/Apache servers, and provide some very useful general tips, such as looking in the audit log and using policy booleans for high-level policy tweaking.

These slides may be the best, short introduction for sysadmins on the topic that I’ve seen. It’s a difficult thing to get right.

Security subsystem changes in the 2.6.30 kernel

Here’s an update on the major changes to the kernel security subsystem for the 2.6.30 kernel.

  • TOMOYO
    The TOMOYO security framework from NTT was merged. This is the first significant LSM scheme to be merged since SELinux in 2003. TOMOYO is characterized by its targeting of non-technical users, where security policy is automatically generated with a “learning mode” tool. This scheme utilizes pathnames for determining access to filesystem objects. Another interesting feature is that a domain, i.e. an active subject which acts on objects, is defined as a history of process invocations, rather than a single process. This allows policy to be applied to a particular branch of processes in the system. For example, an access permitted for init->httpd->perl may not be permitted for init->httpd->bash. Sample policy may be found here.
  • IMA
    IBM’s Integrity Measurement Architecture was also merged. This uses the TPM to verify and store cryptographic checksums of files used by the system, i.e. measurement. If a measured file has been modified on disk, this will be detected and stored permanently in the TPM. The aim is to help detect attacks based on modifying files—such as executable binaries or configuration files—although it cannot detect runtime attacks, and requires checksums to be known in advance for the full system startup chain. Files to be measured may be specified in a policy loadable via securityfs.
  • Remove Old SELinux Network Controls
    The original SELinux network controls were deprecated by the iptables-based Secmark system several years ago, although they remained available via the compat_net option for the likely few people who were using them. The old code has now been removed entirely, and users should transition to Secmark: Paul Moore has written a detailed guide for this.

The remaining changes were primarily bugfixes and enhancements across most parts of the security subsystem, including SELinux, SMACK, and keys.

Paul and I are finalizing the schedule for the security microconf at the upcoming Linux Plumbers Conference. It’s looking like a great line-up at this stage—stay tuned for more details soon.

SELinux Developer Summit: CfP closes 1st July (1 week)

Just a reminder for SELinux developers and anyone interested in the internals of SELinux that the SELinux Developer Summit CfP closes on July 1st, which is about a week away.

SELinux logo

Details of the CfP are here. Don’t forget to join the event mailing list if you’re attending.

Proposals for presentations, lightning talks, and development sessions should be submitted via email per the instructions in the CfP. Proposals do not need to be especially detailed: if you have a good idea, simply send it in.

mystery object

For reading this, you are rewarded with a mystery object (pictured above). See if you can figure out what it is before clicking on it and reading the comments @ flickr.

Classic Unix Design Principles

In the process of preparing my talk for KCA, I re-read the classic paper: The UNIX Time-Sharing System by Ritchie & Thompson. This paper was revised several times between 1973 and 1978, and the authors’ observations are well worth remembering:

Perhaps paradoxically, the success of the Unix system is largely due to the fact that it was not designed to meet any predefined objectives. The first version was written when one of us (Thompson), dissatisfied with the available computer facilities, discovered a little-used PDP-7 and set out to create a more hospitable environment […] We have not been faced with the need to satisfy someone else’s requirements, and for this freedom we are grateful.

Three considerations that influenced the design of Unix are visible in retrospect.

First: because we are programmers, we naturally designed the system to make it easy to write, test, and run programs. The most important expression of our desire for programming convenience was that the system was arranged for interactive use, even though the original version only supported one user. We believe that a properly designed interactive system is much more productive and satisfying to use than a “batch” system. Moreover, such a system is rather easily adaptable to noninteractive use, while the converse is not true.

Second: there have always been fairly severe size constraints on the system and its software. Given the partially antagonistic desires for reasonable efficiency and expressive power, the size constraint has encouraged not only economy, but also a certain elegance of design. This may be a thinly disguised version of the “salvation through suffering” philosophy, but in our case it worked.

Third: nearly from the start, the system was able to, and did, maintain itself. This fact is more important than it might seem. If designers of a system are forced to use that system, they quickly become aware of its functional and superficial deficiencies and are strongly motivated to correct them before it is too late. Because all source programs were always available and easily modified on-line, we were willing to revise and rewrite the system and its software when new ideas were invented, discovered, or suggested by others.

It’s clear that the success of Linux (and FOSS more generally), is underpinned by these principles.  These principles are not merely about technology; they’re a way of thinking about technology and the people who create and use it.