James Morris

This blog has moved

Tue, 07 Jul 2009 05:30:45 GMT

The new location of this blog is:

>> > >> http://blog.namei.org/ << < <<

Please update your bookmark or RSS feed.

I will no longer be updating here at LiveJournal.

All my talk slides are now on Slideshare

Wed, 01 Jul 2009 03:58:58 GMT

I've uploaded the slides from essentially all of the talks I've given to Slideshare. This is likely more useful than my previous strategy of dumping them in a directory and leaving the rest up to search engine bots.

Click here for the full list of slides. They are all published under the Creative Commons attribution share-alike license.

One interesting slide title, which I'd forgotten about, is Kernel Security for 2.8, from the 2004 Kernel Summit. This was from when we were still expecting a 2.7 development kernel leading to a 2.8 stable kernel -- I think Linus announced the change in development model at that summit.

Included in this set of slides are several introductory and deeper technical overviews of SELinux; I hope they are useful for people who are looking for information for themselves, or if making their own slides. As the license suggests, please feel free to copy and extend them (but note that the older ones are going to be more out of date).

SELinux for Humans

Mon, 29 Jun 2009 16:02:59 GMT

I mean, SLUGs...

Paul Wayper gave a couple of talks on SELinux at this weeks' SLUG meeting, and includes links to a couple of very useful slide decks:

SELinux for Everyday Users

SELinux for SysAdmins

The sysadmin slides look particularly useful, as they focus on solving common issues such as running FTP/SAMBA/Apache servers, and provide some very useful general tips, such as looking in the audit log and using policy booleans for high-level policy tweaking.

These slides may be the best, short introduction for sysadmins on the topic that I've seen. It's a difficult thing to get right.

Security subsystem changes in the 2.6.30 kernel

Fri, 26 Jun 2009 06:35:40 GMT

Here's an update on the major changes to the kernel security subsystem for the 2.6.30 kernel.

TOMOYO
The TOMOYO security framework from NTT was merged. This is the first significant LSM scheme to be merged since SELinux in 2003. TOMOYO is characterized by its targeting of non-technical users, where security policy is automatically generated with a "learning mode" tool. This scheme utilizes pathnames for determining access to filesystem objects. Another interesting feature is that a domain, i.e. an active subject which acts on objects, is defined as a history of process invocations, rather than a single process. This allows policy to be applied to a particular branch of processes in the system. For example, an access permitted for init->httpd->perl may not be permitted for init->httpd->bash. Sample policy may be found here.

IMA
IBM's Integrity Measurement Architecture was also merged. This uses the TPM to verify and store cryptographic checksums of files used by the system, i.e. measurement. If a measured file has been modified on disk, this will be detected and stored permanently in the TPM. The aim is to help detect attacks based on modifying files—such as executable binaries or configuration files—although it cannot detect runtime attacks, and requires checksums to be known in advance for the full system startup chain. Files to be measured may be specified in a policy loadable via securityfs.

Remove Old SELinux Network Controls
The original SELinux network controls were deprecated by the iptables-based Secmark system several years ago, although they remained available via the compat_net option for the likely few people who were using them. The old code has now been removed entirely, and users should transition to Secmark: Paul Moore has written a detailed guide for this.

The remaining changes were primarily bugfixes and enhancements across most parts of the security subsystem, including SELinux, SMACK, and keys.

Paul and I are finalizing the schedule for the security microconf at the upcoming Linux Plumbers Conference. It's looking like a great line-up at this stage—stay tuned for more details soon.

SELinux Developer Summit: CfP closes 1st July (1 week)

Wed, 24 Jun 2009 02:21:15 GMT

Just a reminder for SELinux developers and anyone interested in the internals of SELinux that the SELinux Developer Summit CfP closes on July 1st, which is about a week away.

Details of the CfP are here. Don't forget to join the event mailing list if you're attending.

Proposals for presentations, lightning talks, and development sessions should be submitted via email per the instructions in the CfP. Proposals do not need to be especially detailed: if you have a good idea, simply send it in.

For reading this, you are rewarded with a mystery object (pictured above). See if you can figure out what it is before clicking on it and reading the comments @ flickr.

Classic Unix Design Principles

Tue, 16 Jun 2009 04:49:20 GMT

In the process of preparing my talk for KCA, I re-read the classic paper: The UNIX Time-Sharing System by Ritchie & Thompson. This paper was revised several times between 1973 and 1978, and the authors' observations are well worth remembering:

Perhaps paradoxically, the success of the Unix system is largely due to the fact that it was not designed to meet any predefined objectives. The first version was written when one of us (Thompson), dissatisfied with the available computer facilities, discovered a little-used PDP-7 and set out to create a more hospitable environment [...] We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful.

Three considerations that influenced the design of Unix are visible in retrospect.

First: because we are programmers, we naturally designed the system to make it easy to write, test, and run programs. The most important expression of our desire for programming convenience was that the system was arranged for interactive use, even though the original version only supported one user. We believe that a properly designed interactive system is much more productive and satisfying to use than a ``batch'' system. Moreover, such a system is rather easily adaptable to noninteractive use, while the converse is not true.

Second: there have always been fairly severe size constraints on the system and its software. Given the partially antagonistic desires for reasonable efficiency and expressive power, the size constraint has encouraged not only economy, but also a certain elegance of design. This may be a thinly disguised version of the ``salvation through suffering'' philosophy, but in our case it worked.

Third: nearly from the start, the system was able to, and did, maintain itself. This fact is more important than it might seem. If designers of a system are forced to use that system, they quickly become aware of its functional and superficial deficiencies and are strongly motivated to correct them before it is too late. Because all source programs were always available and easily modified on-line, we were willing to revise and rewrite the system and its software when new ideas were invented, discovered, or suggested by others.

It's clear that the success of Linux (and FOSS more generally), is underpinned by these principles. These principles are not merely about technology; they're a way of thinking about technology and the people who create and use it.

Fedora 11 with sVirt

Tue, 09 Jun 2009 16:23:52 GMT

sVirt (MAC security for Linux Virtualization), which I've previously discussed here, and formally presented at LCA in January, was released today as an integral part of virtualization in Fedora 11.

If you'd like to give it a spin, simply download and install Fedora and use the GUI admin tools to create a new virtual machine.

Thanks again to Dan Walsh, Dan Berrange and all the developers who helped with input and the heavy lifting work of completing the userland code. It still amazes me how fast things move in FOSS.

As mentioned in my last+1 post, Dan W will be talking on this topic at the upcoming LinuxCon.

Further developments in this area are already underway, and you can expect to hear about them in the coming months—see the talk slides for possible hints.

SELinux Sandbox and Ambient Authority

Fri, 29 May 2009 05:14:08 GMT

Dan Walsh recently introduced SELinux sandbox. This is a mechanism for launching untrusted applications from the command line, which uses a strict MAC policy to isolate the executed application from the rest of the system. There's been a good discussion of the topic LWN, and I thought it might be worth highlighting a few points.

Firstly, this sandboxing scheme is not a separate package. It's an addition to the standard SELinux security policy to define the sandboxed domain (sandbox_t) coupled with a script to set up the environment and launch applications in the sandboxed domain.

The idea for this came out of a few emails following a recent discussion about extending seccomp for more generalized sandboxing. Essentially, the question was asked "what can we do with SELinux and simple sandboxing?", and the result is now available in Fedora development. If you update to the latest policycoreutils and selinux-policy packages, it should simply be there ready to go.

The security policy for the sandbox_t domain is designed to provide the sandboxed application with only the absolute minimum set of permissions required to run. It can load shared libraries, for example, although a future refinement could provide an option to run only static binaries. It cannot interact in an ad-hoc manner with the rest of the system. A scratch tmpfs filesystem may be optionally mounted for the application if required, and unique MCS labels are used to separate sandboxes from each other. Another future refinement will likely include launching sandboxes in private namespaces.


# sandbox id -Z
unconfined_u:unconfined_r:sandbox_t:s0:c226,c674

The above shows how the id command launched via the new sandbox utility is running in the sandbox_t domain, with MCS categories c226 and c674. The values of these don't matter, as long as they're unique on the system.

As root (and note that this is not designed to be run as root, but for demonstration purposes it helps to show the confinement of privileges if they exist), you can't do anything special via sandbox:

# sandbox cat /etc/shadow
/bin/cat: /etc/shadow: Permission denied

# sandbox touch /tmp/moo.txt
/bin/touch: cannot touch `/tmp/moo.txt': Permission denied

In fact, you can't open any files on the global system.

Ambient authority describes the form of authority commonly seen in general purpose operating systems. This form of authority is what allows, for example, a user on a Linux system to open any file for which she has read access, whether she needs to open the file or not. It is seen as problematic in establishing strong security, due to problems such as The Confused Deputy, where authority (i.e. the ability to perform an action) is arbitrarily escalated throughout the system.

(For a particularly clear explanation of these concepts, they are covered in the first ten minutes of this talk by David Wagner).

When an application is launched via sandbox, with no inessential permissions, as much ambient authority as is possible has been removed by SELinux MAC. Instead, authority is explicitly provided to the sandboxed application via a pipe file descriptor handed to it via the launching process (i.e. the standard Unix scheme of constructing pipelines).

Note carefully the difference between these two commands:


# wc -l /etc/shadow
43 /etc/shadow

and


# cat /etc/shadow | wc -l
43

In the first example, the wc application directly opened the file /etc/shadow for reading. It used ambient authority to do this.

In the second example, wc was handed a file descriptor which was already opened by the calling process, and did not require any ambient authority to read the data in the file: the authority was explicitly tied to the file by the caller, and wc was entirely unaware of which file it was reading. wc in this case does not need any permissions except to access the file descriptor passed by the caller. (It still has ambient authority, however, it just didn't need to use it here).

Running the above with SELinux sandboxing in effect:


# sandbox wc -l /etc/shadow
/usr/bin/wc: /etc/shadow: Permission denied

and


# cat /etc/shadow | sandbox wc -l
43

Note that wc now has no authority now except as invoked by the calling process and passed via the sandbox. In other words, it does not have ambient authority when invoked via the sandbox.

This is a very simple and powerful concept for security purposes, as it is possible to define strict information flows between applications in a dynamic and controlled manner, without the need for additional global security policy. It's inherently Unix-y, too.

There are many potential applications of this form of sandboxing, particularly where you need to process information between different security realms (e.g. incoming mail which needs to be passed through a chain of scanning and filtering applications), and for dealing with large and complicated applications processing arbitrary untrusted data.

Keep an eye on Dan's blog for upcoming work on desktop security with SELinux sandboxing.

Linux Security Events in Portland

Thu, 28 May 2009 22:41:58 GMT

Several Linux security events are planned in association with LinuxCon this year in Portland, Oregon.

2009 SELinux Developer Summit
The CFP for this event has just been published. The developer summit will be held on the 20th of September as an ancillary event of LinuxCon. This is a one-day event, and developers are encouraged to submit proposals around the primary topics of extensibility and usability. We're hoping to have a flexible format this year, perhaps with half a day of talks and then half a day of hack sessions. Note that all attendees need to be registered for LinuxCon, and that earlybird registration ends this Monday, June 1st. Also, please subscribe to the event mailing list if you're planning to attend, so we can estimate numbers. More details are available at the summit web page.

Security Microconf
A security microconf will be held at the co-located Plumbers Conference. The Call for Topics ends on June 15th, and anyone doing interesting work in Linux security should consider submitting a proposal. Also see the LWN topic discussion and Paul McKenney's recent blog entry on the event.

LinuxCon Talks
There are several security-related talks at LinuxCon itself:
I'll be giving a LinuxCon talk on adding extended attributes support to NFSv3, presenting a prototype implementation (based on the GPL IRIX code) for discussion. xattrs are a very common feature in Unix and Linux filesystems, but there is no standard for them, nor for conveying them over NFS. NFSv4 supports "named attributes", although this is based on the Solaris extended attribute scheme (subfiles), and somewhat incompatible the simple name/value string-based xattrs supported by Linux, BSD, IRIX etc. It would be nice to have Linux-style xattrs supported in NFSv3, with the current work then potentially forming the basis for a future NFSv4 protocol extension. If you're interested in this stuff, please consider attending and helping with the discussion.

SELinux Developer Summit 2009 - date set

Tue, 26 May 2009 21:56:43 GMT

The date for the 2009 SELinux Developer Summit has been set for Sunday 20th September, and it will be held as an ancillary event of LinuxCon in Portland.

This is a pre-announcement so that people who are thinking of attending LinuxCon and/or Plumbers Conference can take advantage of the first level of early registration for LinuxCon, which ends June 1st (this Monday).

A full announcement for the SELinux developer summit with a CfP will follow shortly.

p.s. I maintain an Identica (an open Twitter-like service) account for more regular and briefer notes: http://identi.ca/jamesm . You can subscribe via RSS or simply get an account like all the cool kids.

RIP Anthony Rumble

Fri, 15 May 2009 05:24:13 GMT

I was shocked today to read of the passing of Anthony Rumble, a true pioneer of Linux, the Internet, and electronic commerce in Australia.

I first met him at an APANA BBQ in 1994, where he handed me my first Linux distribution: Slackware 1.1.2, with the trusty 0.99pl15 kernel.

I subsequently worked with Anthony on the NetXpress project, which he designed, and which was one of the first significant deployments of Linux in a mission critical role in Australia. His work went a long way to proving the capability and viability of Linux for larger businesses—something which is taken for granted today, but certainly was not at the time. And without his efforts to provide public access Internet in Australia in the early 1990s, I likely would have not even used the Internet until several years later when commercial ISPs started offering retail access. I suspect there are many today in the Linux and Internet communities who were similarly influenced and assisted by Anthony.

While I had not seen Anthony for some time, we were good friends and this is very sad news.

Kernel Conference Australia

Tue, 12 May 2009 03:55:59 GMT

I've had a talk accepted at the upcoming Kernel Conference Australia (KCA), which will be held in Brisbane in July.

The agenda has just been published, and it certainly looks to be an interesting few days, with a keynote from Jeff Bonwick and Bill Moore, as well as talks by Sherry Moore, Henning Brauer, and Stewart Smith.

I'll be giving an overview of the security features of the Linux kernel, which have evolved somewhat over the years, without much in the way of documentation. KCA requires a paper (or slides with speaker notes), so I hope to be able to use this opportunity to document the current state of Linux kernel security.

Here's an excerpt from the abstract I submitted:

The Linux kernel has been extended significantly beyond the traditional Unix security model, incorporating new access control models, cryptographic protection, network packet filtering, credentials management, integrity measurement, privileges ("capabilities") and memory protection.

The diversity and flexibility of these security components has allowed Linux to meet a very wide range of user security requirements, from the simplest embedded devices through to general user desktops, networked servers, scientific research facilities, financial trading systems, and classified military and government systems.

This talk will provide a technical overview of the main security features of the Linux kernel. We'll discuss how these features have been developed and made available as standard components of general purpose Linux distributions (often enabled by default), aiming for the broadest possible adoption and benefit to users.

We'll also look at current developments, such as the effort to add MAC security labeling support to NFSv4, utilizing new hardware security features, and security interoperability with other operating systems.

I'll also be participating in a security discussion panel.

And suffering the harsh Brisbane winter.

Security Miniconf @ Linux Plumbers 2009

Thu, 16 Apr 2009 12:17:43 GMT

The Call for Proposals for the 2009 Linux Plumbers Conference has been posted. This year, there'll be a Security Microconference with Paul Moore and myself as the runners.

If you'd like to submit a proposal (or simply attend), please see the initial LWN discussion to see what kind of issues might be up for discussion. These are just starter topics, so also feel free to propose anything else which might be of interest to people involved in security and the Linux ecosystem.

There's a lot going on in security, and LPC (along with the co-hosted linuxcon) seems like a good opportunity for Linux security folk to get together.

Congratulations Pia Waugh

Wed, 08 Apr 2009 01:35:33 GMT

People who don't follow Australian and/or LinuxChix blog aggregators may have missed Pia Waugh's announcement yesterday of her new job as an advisor to federal senator Kate Lundy.

I've always been impressed with Senator Lundy, who held the record for being the youngest woman from the Labor Party to be elected to parliament, and who seemed to be technically clueful in her previous shadow technology roles. Why she was dropped from the front bench in the new government, and how we ended up with the ploddingly inept Stephen Conroy and his farcical Internet blacklist is something of a mystery to me, but then again, I'm just a simple computer programmer.

Pia is an exceptionally capable person, and also one of those rare truly genuine types. I cannot imagine a more appropriate person for the job. ICT policy in Australia has been a disaster for at least a decade now, and the fact that a senator has been able to recognize and hire someone like Pia as an advisor is cause for real optimism.

Pia will also be breaking ground in Australian politics by maintaining a public presence via her blog and twitter accounts.

Congratulations, Pia!

Security subsystem changes in the 2.6.29 kernel

Thu, 26 Mar 2009 07:14:40 GMT

Here's an update on some of the main changes to the security subsystem in the 2.6.29 kernel.

Most of the changes for this kernel relate to infrastructure work and maintenance:

Task Credentials API
This is a rewrite of the kernel mechanism for managing per-task credentials. David Howells has been working on this for quite some time, significantly in support of his FS-Cache work, which will provide a generalized local caching mechanism for networked filesystems (AFS, NFS, CIFS etc.). There's a very nice write-up of the new credentials code at LWN.

Pathname hooks for LSM
Kentaro Takeda of the TOMOYO project submitted this patch via Al Viro, to provide basic support for pathname-based security schemes.

Smack support for unlabeled network hosts and networks
The Smack LSM now allows normal, unlabeled network traffic, although somewhat grudgingly. Paul Moore notes that this is currently buggy for TCP, but that a fix is forthcoming.

There were also numerous smaller bugfixes and enhancements: for further details, see the KernelNewbies summary.

The TOMOYO code will be first to utilize the LSM pathname hooks mentioned above: it's currently queued for Linus in the 2.6.30 merge window. Also queued for merge is the Integrity Measurement Architecture (IMA) code from IBM.

***

Also, a reminder to people submitting security subsystem patches: please generate them relative to the 'next' branch of the security testing tree:

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

and please CC' the LSM list on any security-related discussions. Thanks.

New Australian Kernel Conference

Wed, 11 Mar 2009 14:28:44 GMT

I just noticed that there's a new conference for open source kernel developers and researchers, Kernel Conference Australia (KCA). It'll be held at UQ in Brisbane in July, and the CfP closes on May 1st.

Linux currently looks a little under-represented, so let's try and fix that :-)

sVirt merged into upstream libvirt

Tue, 03 Mar 2009 23:04:42 GMT

The sVirt code has now been merged into the upstream libvirt repository (git mirror). Thanks to Dan Walsh for taking on the remaining userspace development, and Daniel Berrange and the rest of the libvirt folk involved for reviewing and improving the code.

While we'll be focusing on the SELinux driver for sVirt, a really useful and cool project for someone interested in security and virtualization would be to develop a SMACK driver.

Locking down your browser plugins in F10

Fri, 27 Feb 2009 00:10:56 GMT

With the recent news of multiple vulnerabilities in Adobe flash and PDF software, folk running Fedora 10 may wish to consider using SELinux to confine browser plugins.

Dan Walsh has previously implemented SELinux lockdown for browser plugins via nspluginwrapper, as discussed here. Unfortunately, this has been disabled by default, due to a clash with the mozplugger package, which uses nspluginwrapper to launch applications inside the browser.

Personally, I'm happy to have OpenOffice or similar open up in a separate window, using the standard Firefox mechanism for doing so, especially if it means I'm able to keep browser plugin confinement enabled.

Here's what I did:


# yum remove mozplugger

# setsebool -P allow_unconfined_nsplugin_transition=on 

# setsebool -P allow_nsplugin_execmem=off

# setsebool -P nsplugin_can_network=off

This of course removes mozplugger, but I don't seem to need it. When downloading a PDF, for example, Firefox prompts if I want to open it with evince, and provides me with an option to always do that without further prompting. YMMV.

The setsebool commands change several nspluginwrapper options in SELinux, while the -P option ensures that the changes persist across reboots (see setsebool(8)).

Detailed explanation:

Enabling allow_unconfined_nsplugin_transition ensures that nspluginwrapper transitions to a new security label when running a plugin, so that special security policy can be applied to it. This is required for any useful effect.

Disabling allow_nsplugin_execmem ensures that memory protections are being enforced to prevent plugins from executing code on the stack and in mapped memory.

Disabling nsplugin_can_network prevents plugins from connecting to anything other than reserved ports. Apparently, this may upset some flash code which wants to call home (you'd be surprised how much of this goes on, or perhaps not), so you may want to leave this as-is, or at least keep an eye on the messages from setroubleshoot.

Note that if you do run into problems, you can put SELinux into permissive mode rather than disabling it, which will at least provide some useful logging information (and feel free to post questions to the fedora-selinux-list).

Btw, here's how to configure SELinux for permissive mode:

System -> Administration -> SELinux Management

Set 'System Default Enforcing Mode' to 'Permissive'

And you're done.

A bugzilla ticket has been opened on the issue of finding a long-term solution which allows both mozplugger and plugin confinement to co-exist, but unfortunately, users currently need to decide whether they prefer increased security or a more Windows-like experience, with the latter as the default.

LCA sVirt talk video online

Tue, 24 Feb 2009 11:15:50 GMT

Some videos from LCA 2009 have been posted online, per this email from Mary Gardiner.

The video from my sVirt (MAC security for Linux virtualization) talk is available as an OGG file. I've also re-uploaded it as a google video.

I'd suggest having a copy of the slides open when watching, as they're not always shown in the video, and you're definitely better off looking at them than me in any case.

LCA was a genuinely enjoyable conference: laid-back and really well organized, with a good balance of talks. One really great aspect was the way internet access was provided to the accommodation, which at least in my case, worked perfectly, with a microwave link from UTAS connected to the hotel's internal wiring. I often need to work during conferences, and having good network access is probably my top priority in selecting accommodation.

I was glad to be part of the security miniconf organized by Casey Schaufler, which brought together folk from the kernel security community and various highly technical folk. There were talks from several leading security developers, including Casey (fs capabilities and rootless systems), Russell Coker (standing in for Kaigai Kohei on SE-postgresql and web application MAC), and Kentaro Takeda (TOMOYO). The miniconf concluded with an open panel discussion which was covered by LWN. For reasons I can't quite recall now, I ended up doing an ad-hoc presentation on Fedora Kiosk Mode, which I think helped demonstrate some of the progress SELinux has made in terms of usability and extension to general use scenarios.

Also see my flickr photoset, and a short video of one of the exhibitions from the Batteries Not Included art exhibition, which ran as part of the conference.

LCA 2010 will be held in Wellington, New Zealand -- here's an amusing video by the organizers. I hope to make it there.

sVirt slides from LCA

Fri, 23 Jan 2009 01:02:36 GMT

The slides from my LCA talk on sVirt talk may be found here in PDF format.

The talk seemed to go reasonably well, and had a larger audience than I expected given that Tridge and Willy were talking at the same time. A video of the talk should appear online soon.

MacBook vs. projector saga

Thu, 22 Jan 2009 06:43:28 GMT

I've finally found reliable workarounds for a long-standing issue where my Intel MacBook doesn't work with most projectors.

The error message when trying to use xrandr to force output via VGA looks like:

$ xrandr --output VGA --auto
xrandr: cannot find crtc for output VGA

It seems the driver has a bug where it thinks it has the hardware available to drive the LCD panel, DVI and analogue VGA outputs at the same time, when it can in fact only handle two of these. xrandr shows three displays enabled:

Screen 0: minimum 320 x 200, current 1024 x 768, maximum 1280 x 1280
VGA connected (normal left inverted right x axis y axis)
   1024x768       60.0  
   800x600        60.3  
   640x480        59.9  
LVDS connected 1024x768+0+0 (normal left inverted right x axis y axis) 286mm x 179mm
   1280x800       59.9 +
   1024x768       60.0* 
   800x600        60.3
   640x480        59.9  
TMDS-1 connected 1024x768+0+0 (normal left inverted right x axis y axis) 0mm x 0mm
   1024x768       60.0* 
   800x600        60.3  
   640x480        59.9  
TV disconnected (normal left inverted right x axis y axis)

I'm guessing this might have something to do with both analogue and digital signals being sent out the same connector. In any case, the fix is to disable 'TMDS-1'.

This can be done during an active session:

$ xrandr --output TMDS-1 --off

$ xrandr --output VGA --auto

The X server can also be configured to disable 'TMDS-1' during startup. On F10, you need to first create an xorg.conf. I ended up doing this:

# yum install system-config-display

# system-config-display

and just quit, which seems to cause /etc/X11/xorg.conf to be generated.

I edited the file, adding the "Option" line to the "Device" section:

Section "Device"
	Identifier  "Videocard0"
	Driver      "intel"
	Option      "monitor-TMDS-1" "dvi"
EndSection

then, I added this section:

Section "Monitor"
        Identifier "dvi"
        Option "Disable"  "true"
EndSection

which all seems to work ok for me and is about as obvious as quantum supergravity.

LCA has been great fun so far -- more later.

LCA next week & introduction to sVirt

Mon, 12 Jan 2009 23:53:31 GMT

I'm preparing to travel to Hobart for LCA next week, which will be a refreshing break from the 40° heat in Sydney, and from conference jet lag—this will my first same-timezone conference in a couple of years, and the closest I've ever been to Antarctica.

I'll be giving a talk on sVirt, a project to harden Linux-based virtualization with MAC security. From the abstract:

With increased use of virtualization, one security benefit of physically separated systems -- strong isolation -- is reduced, an issue which may be ameliorated with the application of MAC security (e.g. SELinux, SMACK) in the host system.

For example, a flaw in the hypervisor or errant misconfiguration of the host may allow a virtualized guest OS to "break out" into the host environment and compromise other guests. By applying MAC security to virtual machine instances at the host level, such threats may be mitigated through strong isolation and containment of guests.

If you think hypervisor flaws are merely some kind of theoretical threat, you're dreaming. A large number of folk seem to be entirely unware of virtualization security issues, according to Joe Hernick of Network Computing:

To find out how prepared our readers are, we fielded a survey—and got some eye-popping results. We can't help thinking that the 43% saying they feel virtualized machines are just as safe and secure as traditional environments are whistling past the graveyard. Of the 384 IT operations and security professionals responding, a mere 11% have put formal strategies in place to protect their VMs.

Hyperbole aside, people who are deploying virtualized systems definitely need to start thinking about this stuff.

The sVirt project is currently in initial development, with the aim of making a v1.0 release shipping this year in Fedora. A key feature of the initial release will providing simple MAC isolation of KVM domains, so virtualized systems can't attack each other or the host system.

While Dan Walsh gave an ad-hoc talk on the subject last week at Fudcon in Boston, and I gave an ad-hoc lightning talk at Foss.my, this will be the first planned presentation properly outlining the goals, architecture and implementation strategy; and how this is part of extending flexible MAC security across every level of the modern application stack from the local OS to the globally distributed environment (cloud, grid et al). There's no shortage of interesting and bizarrely difficult problems to solve in this area. Or buzzwords.

LCA looks to be a fun conference this year, if not perhaps a little subdued due to the economic crisis (and hopefully nothing to do with Tasmania being the world's leading producer of pharmaceutical opiates).

I expect to be attending the Linux Kernel and Security miniconfs.

Talks I hope to see include:

AIO: Why is this so hard? (Zach Brown)

Using a Malicious User-Level RCU to Torture RCU-Based Algorithms (Paul McKenney)

Geek my Ride (Jon Oxer and Jared Herbohn)

The organizers have just announced mystery prizes for folk registering in the final week, so if you're yet to decide whether to attend, there's some more encouragement.

Frankly, with the current economic situation, I would consider attending a top-notch FOSS conference like this a priority in terms of useful things to do to bolster your career.

Kernel Security Wiki

Wed, 07 Jan 2009 09:37:42 GMT

This is to announce a kernel security subsystem wiki, supported by the kind folk at kernel.org. It's intended for use by community developers and users of kernel security projects. So far, there are sections on working with the security-testing git repo, a listing of various kernel security projects, and an events page. If there's something you'd like to see or change on the wiki (particularly if it relates to your own project), create an account and make it so.

Note that this wiki is not related to security response: the security incident contact for the kernel per the MAINTAINERS file is security @ kernel.org.

Security changes in the 2.6.28 kernel

Tue, 06 Jan 2009 11:11:59 GMT

Version 2.6.28 of the Linux kernel was released during Christmas, so I thought it'd be worthwhile waiting until after typical vacation days to post a summary of changes to the security subsystem. As always, thanks to the Kernel Newbies folk who track major kernel changes.

Dummy SELinux policy support
Serge Hallyn added a dummy policy for SELinux to the kernel tree. This is useful for testing SELinux and a base for building minimal and experimental security policies.

Bouned per-thread security contexts for SELinux
KaiGai Kohei submitted a patch which allows different threads in a process to be labeled with distinct security contexts. Such threads are guaranteed to not exceed the security policy permissions of the parent process. This is part of his work in extending SELinux to the web application stack, and in this case, is aimed at constraining in-process web server scripts (e.g. mod_python applications).

Labeled networking updates
Paul Moore provided a series of updates to the Labeled networking subsystem, which he promises to document on his blog.

MAC policy for privilege in Smack
Casey Schaufler extended Smack so that MAC policy may be used to limit the use of privilege. Previously, the Smack model maintained strict orthogonality between privilege and access control, where privileged processes were exempted from MAC policy enforcement. This feature allows for MAC policy enforcement of processes running with specific security label (as written to /smack/onlycap), or for all processes if the onlycap label is specified as '*'.

TPM updates
Rajiv Andrade provided several updates for the TPM driver.

This was not a terribly exciting release for the security subsystem.

Thus far for the 2.6.29 kernel, the main change is the massive credentials API change from David Howells. This has caused a couple of regressions, which were picked up by subsystem testing of Linus' tree. Fixes have been developed and are currently partially merged upstream. It seems we need to get more testing done in linux-next to avoid such breakage during future merge windows.

Also noteworthy is the merge of the pathname security hooks for LSM, which should pave the way for TOMOYO and AppArmor in 2.6.30, subject to the general patch submission review process. TOMOYO is only a couple of acks from approval, has been baking in -mm, and is pretty much self-contained. It may even appear in 2.6.29 if the merge window is open for features long enough.

Track the security-testing git tree via identica

Fri, 19 Dec 2008 03:21:28 GMT

If you're interested in tracking commits to the security testing tree, you can now do so via identica.

Commits to the master git repo are sent via gregkh's bti, using the following script as the $repo/hooks/post-receive hook:


#!/bin/bash

read oldrev newrev refname

short_refname=${refname##refs/heads/}

/usr/bin/git rev-list $oldrev...$newrev --no-merges --pretty=format:"%h|%ae|%s" --abbrev-commit | grep -v ^commit |
while read a; do
        echo "$short_refname|$a" | cut -f-140 | ~/bin/bti
        sleep 1
done

It may not scale too well, but it's simple. Suggestions for improvement are welcome.

Unrelatedly, here's a short video I took of a long train in Bangalore:

(Higher quality version)