RIP Anthony Rumble

I was shocked today to read of the passing of Anthony Rumble, a true pioneer of Linux, the Internet, and electronic commerce in Australia.

I first met him at an APANA BBQ in 1994, where he handed me my first Linux distribution: Slackware 1.1.2, with the trusty 0.99pl15 kernel.

I subsequently worked with Anthony on the NetXpress project, which he designed, and which was one of the first significant deployments of Linux in a mission critical role in Australia. His work went a long way to proving the capability and viability of Linux for larger businesses—something which is taken for granted today, but certainly was not at the time. And without his efforts to provide public access Internet in Australia in the early 1990s, I likely would have not even used the Internet until several years later when commercial ISPs started offering retail access. I suspect there are many today in the Linux and Internet communities who were similarly influenced and assisted by Anthony.

While I had not seen Anthony for some time, we were good friends and this is very sad news.

Kernel Conference Australia

I’ve had a talk accepted at the upcoming Kernel Conference Australia (KCA), which will be held in Brisbane in July.

The agenda has just been published, and it certainly looks to be an interesting few days, with a keynote from Jeff Bonwick and Bill Moore, as well as talks by Sherry Moore, Henning Brauer, and Stewart Smith.

I’ll be giving an overview of the security features of the Linux kernel, which have evolved somewhat over the years, without much in the way of documentation. KCA requires a paper (or slides with speaker notes), so I hope to be able to use this opportunity to document the current state of Linux kernel security.

Here’s an excerpt from the abstract I submitted:

The Linux kernel has been extended significantly beyond the traditional Unix security model, incorporating new access control models, cryptographic protection, network packet filtering, credentials management, integrity measurement, privileges (“capabilities”) and memory protection.

The diversity and flexibility of these security components has allowed Linux to meet a very wide range of user security requirements, from the simplest embedded devices through to general user desktops, networked servers, scientific research facilities, financial trading systems, and classified military and government systems.

This talk will provide a technical overview of the main security features of the Linux kernel. We’ll discuss how these features have been developed and made available as standard components of general purpose Linux distributions (often enabled by default), aiming for the broadest possible adoption and benefit to users.

We’ll also look at current developments, such as the effort to add MAC security labeling support to NFSv4, utilizing new hardware security features, and security interoperability with other operating systems.

I’ll also be participating in a security discussion panel.

morning on the city beach by monkeyc.net on flickr

And suffering the harsh Brisbane winter.

Security Miniconf @ Linux Plumbers 2009

The Call for Proposals for the 2009 Linux Plumbers Conference has been posted. This year, there’ll be a Security Microconference with Paul Moore and myself as the runners.

If you’d like to submit a proposal (or simply attend), please see the initial LWN discussion to see what kind of issues might be up for discussion. These are just starter topics, so also feel free to propose anything else which might be of interest to people involved in security and the Linux ecosystem.

There’s a lot going on in security, and LPC (along with the co-hosted linuxcon) seems like a good opportunity for Linux security folk to get together.

Congratulations Pia Waugh

People who don’t follow Australian and/or LinuxChix blog aggregators may have missed Pia Waugh’s announcement yesterday of her new job as an advisor to federal senator Kate Lundy.

I’ve always been impressed with Senator Lundy, who held the record for being the youngest woman from the Labor Party to be elected to parliament, and who seemed to be technically clueful in her previous shadow technology roles. Why she was dropped from the front bench in the new government, and how we ended up with the ploddingly inept Stephen Conroy and his farcical Internet blacklist is something of a mystery to me, but then again, I’m just a simple computer programmer.

Pia is an exceptionally capable person, and also one of those rare truly genuine types. I cannot imagine a more appropriate person for the job. ICT policy in Australia has been a disaster for at least a decade now, and the fact that a senator has been able to recognize and hire someone like Pia as an advisor is cause for real optimism.

Pia will also be breaking ground in Australian politics by maintaining a public presence via her blog and twitter accounts.

Congratulations, Pia!

Security subsystem changes in the 2.6.29 kernel

Here’s an update on some of the main changes to the security subsystem in the 2.6.29 kernel.

Most of the changes for this kernel relate to infrastructure work and maintenance:

  • Task Credentials API
    This is a rewrite of the kernel mechanism for managing per-task credentials. David Howells has been working on this for quite some time, significantly in support of his FS-Cache work, which will provide a generalized local caching mechanism for networked filesystems (AFS, NFS, CIFS etc.). There’s a very nice write-up of the new credentials code at LWN.
  • Pathname hooks for LSM
    Kentaro Takeda of the TOMOYO project submitted this patch via Al Viro, to provide basic support for pathname-based security schemes.
  • Smack support for unlabeled network hosts and networks
    The Smack LSM now allows normal, unlabeled network traffic, although somewhat grudgingly. Paul Moore notes that this is currently buggy for TCP, but that a fix is forthcoming.

There were also numerous smaller bugfixes and enhancements: for further details, see the KernelNewbies summary.

The TOMOYO code will be first to utilize the LSM pathname hooks mentioned above: it’s currently queued for Linus in the 2.6.30 merge window. Also queued for merge is the Integrity Measurement Architecture (IMA) code from IBM.

***

Also, a reminder to people submitting security subsystem patches: please generate them relative to the ‘next’ branch of the security testing tree:

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

and please CC’ the LSM list on any security-related discussions. Thanks.

sVirt merged into upstream libvirt

The sVirt code has now been merged into the upstream libvirt repository (git mirror). Thanks to Dan Walsh for taking on the remaining userspace development, and Daniel Berrange and the rest of the libvirt folk involved for reviewing and improving the code.

While we’ll be focusing on the SELinux driver for sVirt, a really useful and cool project for someone interested in security and virtualization would be to develop a SMACK driver.

Locking down your browser plugins in F10

With the recent news of multiple vulnerabilities in Adobe flash and PDF software, folk running Fedora 10 may wish to consider using SELinux to confine browser plugins.

Dan Walsh has previously implemented SELinux lockdown for browser plugins via nspluginwrapper, as discussed here. Unfortunately, this has been disabled by default, due to a clash with the mozplugger package, which uses nspluginwrapper to launch applications inside the browser.

Personally, I’m happy to have OpenOffice or similar open up in a separate window, using the standard Firefox mechanism for doing so, especially if it means I’m able to keep browser plugin confinement enabled.

Here’s what I did:


# yum remove mozplugger

# setsebool -P allow_unconfined_nsplugin_transition=on

# setsebool -P allow_nsplugin_execmem=off

# setsebool -P nsplugin_can_network=off

This of course removes mozplugger, but I don’t seem to need it. When downloading a PDF, for example, Firefox prompts if I want to open it with evince, and provides me with an option to always do that without further prompting. YMMV.

The setsebool commands change several nspluginwrapper options in SELinux, while the -P option ensures that the changes persist across reboots (see setsebool(8)).

Detailed explanation:

  • Enabling allow_unconfined_nsplugin_transition ensures that nspluginwrapper transitions to a new security label when running a plugin, so that special security policy can be applied to it. This is required for any useful effect.
  • Disabling allow_nsplugin_execmem ensures that memory protections are being enforced to prevent plugins from executing code on the stack and in mapped memory.
  • Disabling nsplugin_can_network prevents plugins from connecting to anything other than reserved ports. Apparently, this may upset some flash code which wants to call home (you’d be surprised how much of this goes on, or perhaps not), so you may want to leave this as-is, or at least keep an eye on the messages from setroubleshoot.

Note that if you do run into problems, you can put SELinux into permissive mode rather than disabling it, which will at least provide some useful logging information (and feel free to post questions to the fedora-selinux-list).

Btw, here’s how to configure SELinux for permissive mode:

SELinux administration in Fedora 10

System -> Administration -> SELinux Management

Setting SELinux enforcing mode in Fedora 10

Set ‘System Default Enforcing Mode’ to ‘Permissive’

And you’re done.

A bugzilla ticket has been opened on the issue of finding a long-term solution which allows both mozplugger and plugin confinement to co-exist, but unfortunately, users currently need to decide whether they prefer increased security or a more Windows-like experience, with the latter as the default.

LCA sVirt talk video online

Some videos from LCA 2009 have been posted online, per this email from Mary Gardiner.

The video from my sVirt (MAC security for Linux virtualization) talk is available as an OGG file. I’ve also re-uploaded it as a google video.

I’d suggest having a copy of the slides open when watching, as they’re not always shown in the video, and you’re definitely better off looking at them than me in any case.

LCA was a genuinely enjoyable conference: laid-back and really well organized, with a good balance of talks. One really great aspect was the way internet access was provided to the accommodation, which at least in my case, worked perfectly, with a microwave link from UTAS connected to the hotel’s internal wiring. I often need to work during conferences, and having good network access is probably my top priority in selecting accommodation.

I was glad to be part of the security miniconf organized by Casey Schaufler, which brought together folk from the kernel security community and various highly technical folk. There were talks from several leading security developers, including Casey (fs capabilities and rootless systems), Russell Coker (standing in for Kaigai Kohei on SE-postgresql and web application MAC), and Kentaro Takeda (TOMOYO). The miniconf concluded with an open panel discussion which was covered by LWN. For reasons I can’t quite recall now, I ended up doing an ad-hoc presentation on Fedora Kiosk Mode, which I think helped demonstrate some of the progress SELinux has made in terms of usability and extension to general use scenarios.

Also see my flickr photoset, and a short video of one of the exhibitions from the Batteries Not Included art exhibition, which ran as part of the conference.

LCA 2010 will be held in Wellington, New Zealand — here’s an amusing video by the organizers. I hope to make it there.

sVirt slides from LCA

The slides from my LCA talk on sVirt talk may be found here in PDF format.

The talk seemed to go reasonably well, and had a larger audience than I expected given that Tridge and Willy were talking at the same time. A video of the talk should appear online soon.