Language Selection

English French German Italian Portuguese Spanish

About Tux Machines

Wednesday, 13 Nov 19 - Tux Machines is a community-driven public service/news site which has been around for over a decade and a half and primarily focuses on GNU/LinuxSubscribe now Syndicate content

Search This Site

Quick Roundup

Typesort icon Title Author Replies Last Post
goblinxfc srlinuxx 26/04/2007 - 6:30pm
nixsys.com srlinuxx 24/09/2007 - 11:24pm
wolvixondisk srlinuxx 02/10/2007 - 10:49pm
arnybw srlinuxx 18/10/2007 - 3:39pm
webpathinlovelinux srlinuxx 07/02/2008 - 3:44pm
bluewhite srlinuxx 25/03/2008 - 10:44pm
pclos srlinuxx 15/06/2008 - 11:18pm
nixsys2 srlinuxx 18/08/2008 - 7:12am
nixsys3 srlinuxx 18/08/2008 - 7:22am
gg 480x60 srlinuxx 03/09/2008 - 11:55am

Kernel Articles at LWN (Paywall Just Expired)

Filed under
Linux
  • Filesystem sandboxing with eBPF

    Bijlani is focused on a specific type of sandbox: a filesystem sandbox. The idea is to restrict access to sensitive data when running these untrusted programs. The rules would need to be dynamic as the restrictions might need to change based on the program being run. Some examples he gave were to restrict access to the ~/.ssh/id_rsa* files or to only allow access to files of a specific type (e.g. only *.pdf for a PDF reader).

    He went through some of the existing solutions to show why they did not solve his problem, comparing them on five attributes: allowing dynamic policies, usable by unprivileged users, providing fine-grained control, meeting the security needs for running untrusted code, and avoiding excessive performance overhead. Unix discretionary access control (DAC)—file permissions, essentially—is available to unprivileged users, but fails most of the other measures. Most importantly, it does not suffice to keep untrusted code from accessing files owned by the user running the code. SELinux mandatory access control (MAC) does check most of the boxes (as can be seen in the talk slides [PDF]), but is not available to unprivileged users.

    Namespaces (or chroot()) can be used to isolate filesystems and parts of filesystems, but cannot enforce security policies, he said. Using LD_PRELOAD to intercept calls to filesystem operations (e.g. open() or write()) is a way for unprivileged users to enforce dynamic policies, but it can be bypassed fairly easily. System calls can be invoked directly, rather than going through the library calls, or files can be mapped with mmap(), which will allow I/O to the files without making system calls. Similarly, ptrace() can be used, but it suffers from time-of-check-to-time-of-use (TOCTTOU) races, which would allow the security protections to be bypassed.

  • Generalizing address-space isolation

    Linux systems have traditionally run with a single address space that is shared by user and kernel space. That changed with the advent of the Meltdown vulnerability, which forced the merging of kernel page-table isolation (KPTI) at the end of 2017. But, Mike Rapoport said during his 2019 Open Source Summit Europe talk, that may not be the end of the story for address-space isolation. There is a good case to be made for increasing the separation of address spaces, but implementing that may require some fundamental changes in how kernel memory management works.

    Currently, Linux systems still use a single address space, at least when they are running in kernel mode. It is efficient and convenient to have everything visible, but there are security benefits to be had from splitting the address space apart. Memory that is not actually mapped is a lot harder for an attacker to get at. The first step in that direction was KPTI. It has performance costs, especially around transitions between user and kernel space, but there was no other option that would address the Meltdown problem. For many, that's all the address-space isolation they would like to see, but that hasn't stopped Rapoport from working to expand its use.

  • Identifying buggy patches with machine learning

    The stable kernel releases are meant to contain as many important fixes as possible; to that end, the stable maintainers have been making use of a machine-learning system to identify patches that should be considered for a stable update. This exercise has had some success but, at the 2019 Open Source Summit Europe, Sasha Levin asked whether this process could be improved further. Might it be possible for a machine-learning system to identify patches that create bugs and intercept them, so that the fixes never become necessary?
    Any kernel patch that fixes a bug, Levin began, should include a tag marking it for the stable updates. Relying on that tag turns out to miss a lot of important fixes, though. About 3-4% of the mainline patch stream was being marked, but the number of patches that should be put into the stable releases is closer to 20% of the total. Rather than try to get developers to mark more patches, he developed his machine-learning system to identify fixes in the mainline patch stream automatically and queue them for manual review.

    This system uses a number of heuristics, he said. If the changelog contains language like "fixes" or "causes a panic", it's likely to be an important fix. Shorter patches tend to be candidates.

  • Next steps for kernel workflow improvement

    The kernel project's email-based development process is well established and has some strong defenders, but it is also showing its age. At the 2019 Kernel Maintainers Summit, it became clear that the kernel's processes are much in need of updating, and that the maintainers are beginning to understand that. It is one thing, though, to establish goals for an improved process; it is another to actually implement that process and convince developers to use it. At the 2019 Open Source Summit Europe, a group of 20 or so maintainers and developers met in the corner of a noisy exhibition hall to try to work out what some of the first steps in that direction might be.

    The meeting was organized and led by Konstantin Ryabitsev, who is in charge of kernel.org (among other responsibilities) at the Linux Foundation (LF). Developing the kernel by emailing patches is suboptimal, he said, especially when it comes to dovetailing with continuous-integration (CI) processes, but it still works well for many kernel developers. Any new processes will have to coexist with the old, or they will not be adopted. There are, it seems, some resources at the LF that can be directed toward improving the kernel's development processes, especially if it is clear that this work is something that the community wants.

Server Leftovers

Filed under
Server
  • Knative at 1: New Changes, New Opportunities

    This summer marked the one-year anniversary of Knative, an open-source project that provides the fundamental building blocks for serverless workloads in Kubernetes. In its relatively short life (so far), Knative is already delivering on its promise to boost organizations’ ability to leverage serverless and FaaS (functions as a service).

    Knative isn’t the only serverless offering for Kubernetes, but it has become a de-facto standard because it arguably has a richer set of features and can be integrated more smoothly than the competition. And the Knative project continues to evolve to address businesses’ changing needs. In the last year alone, the platform has seen many improvements, giving organizations looking to expand their use of Kubernetes through serverless new choices, new considerations and new opportunities.

  • Redis Labs Leverages Kubernetes to Automate Database Recovery

    Redis Labs today announced it has enhanced the Operator software for deploying its database on Kubernetes clusters to include an automatic cluster recovery that enables customers to manage a stateful service as if it were stateless.

    Announced at Redis Day, the latest version of Kubernetes Operator for Redis Enterprise makes it possible to spin up a new instance of a Redis database in minutes.

    Howard Ting, chief marketing officer for Redis Labs, says as Kubernetes has continued to gain traction, it became apparent that IT organizations need tools to provision Redis Enterprise for Kubernetes clusters. That requirement led Redis Labs to embrace Operator software for Kubernetes developed by CoreOS, which has since been acquired by Red Hat. IT teams can either opt to recover databases manually using Kubernetes Operator or configure the tool to recover databases automatically anytime a database goes offline. In either case, he says, all datasets are loaded and balanced across the cluster without any need for manual workflows.

  • Dare to Transform IT with SUSE Global Services

Audiocasts/Shows: FLOSS Weekly and Linux Headlines

Filed under
Interviews
  • FLOSS Weekly 555: Emissions API

    Emissions API is easy to access satellite-based emission data for everyone. The project strives to create an application interface that lowers the barrier to use the data for visualization and/or analysis.

  • 2019-11-13 | Linux Headlines

    It’s time to update your kernel again as yet more Intel security issues come to light, good news for container management and self-hosted collaboration, and Brave is finally ready for production.

Bill Wear, Developer Advocate for MAAS: foo.c

Filed under
OS
Development
Ubuntu

I remember my first foo. It was September, 1974, on a PDP-11/40, in the second-floor lab at the local community college. It was an amazing experience for a fourteen-year-old, admitted at 12 to audit night classes because his dad was a part-time instructor and full-time polymath.

I should warn you, I’m not the genius in the room. I maintained a B average in math and electrical engineering, but A+ averages in English, languages, programming, and organic chemistry (yeah, about that….). The genius was my Dad, the math wizard, the US Navy CIC Officer. More on him in a later blog — he’s relevant to what MAAS does in a big way.

Okay, so I’m more of a language (and logic) guy. But isn’t code where math meets language and logic?

Research Unix

Fifth edition UNIX had just been licensed to educational institutions at no cost, and since this college was situated squarely in the middle of the military-industrial complex, scoring a Hulking Giant was easy. Finding good code to run it? That was another issue, until Bell Labs offered up a freebie.

It was amazing! Getting the computer to do things on its own — via ASM and FORTRAN — was not new to me. What was new was the simplicity of the whole thing. Mathematically, UNIX and C were incredibly complex, incorporating all kinds of network theory and topology and numerical methods that (frankly) haven’t always been my favorite cup of tea. I’m not even sure if Computer Science was a thing yet.

But the amazing part? Here was an OS which took all that complexity and translated it to simple logic: everything is a file; small is beautiful; do one thing well. Didn’t matter that it was cranky and buggy and sometimes dumped your perfectly-okay program in the bit bucket. It was a thrill to be able to do something without having to obsess over the math underneath.

Read more

Also: How to upgrade to Ubuntu 20.04 Daily Builds from Ubuntu 19.10

Intel is Openwashing With 'OpenVINO'

Filed under
Hardware

Desktop GNU/Linux: Ubuntu 20.04, Slackware Live Plasma5 edition ISO and Latest ZDNet Clickbait

Filed under
GNU
Linux

Open Source Firmware updates for the masses! (Part 1)

Filed under
Linux

Thanks to the Linux Vendor Firmware Service it's now much easier to update firmware on Linux. The LVFS supports a huge amount of devices, brings it's own firmware database, has a nice UI and periodically checks if new firmware updates are available. Hardware vendors can upload their firmware to LVFS, which charges no cost for hosting or distribution.

Read more

Also: Coreboot Support Is Being Worked On For Fwupd/LVFS

GNU: GCC, GNU Assembler and Spring Internships at the FSF

Filed under
GNU
  • AMD GCN OpenMP/OpenACC Offloading Patches For The GCC 10 Compiler

    Over the past year Code Sourcery / Mentor Graphics has been working extensively on the new AMD Radeon "GCN" back-end for the GCC code compiler. With the code that is found in GCC 9 and up to now in GCC 10 hasn't supported OpenMP/OpenACC parallel programming interfaces but that could soon change with patches under review.

    The Radeon GPU support in GCC up to now hasn't supported OpenMP or OpenACC for offloading to the graphics processor and thus its practicality has been limited.

  • GNU Assembler Patches Sent Out For Optimizing The Intel Jump Conditional Code Erratum

    Now that Intel lifted its embargo on the "Jump Conditional Code" erratum affecting Skylake through Cascade Lake processors, while Intel's own Clear Linux was first to carry these patches they have now been sent out on the Binutils mailing list for trying to get the JCC optimization patches into the upstream Binutils/GAS code-base.

    Well known Intel compiler toolchain expert H.J. Lu sent out the five patches on Tuesday for optimizing around the JCC Erratum. The GNU Assembler (GAS) patches aim to mitigate the performance by aligning branches within 32-byte boundaries for various instructions. The behavior is activated via the -mbranches-within-32B-boundaries command line switch.

  • Spring internships at the FSF! Apply by Nov. 29

    Do you believe that free software is crucial to a free society? Do you want to help people learn why free software matters, and how to use it? Do you want to dig deep into software freedom issues like copyleft, Digital Restrictions Management (DRM), or surveillance and encryption? Or, do you want to learn systems administration, design, or other tasks using only free software?

    The Free Software Foundation (FSF) is looking for interns to spend the summer contributing to work in one of three areas: campaigns, licensing, or technical.

    These positions are unpaid, but the FSF will provide any appropriate documentation you might need to receive funding and school credit from outside sources. We also provide lunch expense reimbursement and a monthly transportation pass that will give you free access to local subways and buses (MBTA). We place an emphasis on providing hands-on educational opportunities for interns, in which they work closely with staff mentors on projects that match their skills and interest.

Games: Parkitect Taste of Adventure and CodeWeavers Working on Steam Play

Filed under
Gaming
  • Theme park building sim Parkitect is getting a Taste of Adventure expansion

    Releasing on November 20, Texel Raptor just announced the first big expansion to their incredibly fun theme park building game Parkitect and I couldn't be more excited.

    I remember being completely absorbed by the classic Theme Park from Bullfrog in my youth, to which Parkitect firmly filled the hole it left in my adult life. Parkitect doesn't necessarily need an expansion, it already has everything that makes it a great game. However, I will gladly take this expansion so I can happily play even more of it.

  • CodeWeavers Is Hiring Another Graphics Developer To Help With Wine D3D / Steam Play

    CodeWeavers is looking to hire another developer to work on Wine's graphics stack and in particular the WineD3D code while having an emphasis that it's part of Valve's Steam Play (Proton) efforts.

  • CodeWeavers are after a Graphics Developer for Steam Play Proton and Wine

    CodeWeavers, the company that helps to support development of Wine and are currently partnered up with Valve to help with Steam Play/Proton have a new Graphics Developer position open.

    This is a completely different position to the one we posted about before, which is a more generalised role. Instead, their new Graphics Developer position would have you working on Wine's Direct3D implementation. Quite a complicated role, involving early DirectDraw up until modern Direct3D 12 in addition to Vulkan and OpenGL.

Removals From Linux 5.4

Filed under
Linux
  • VirtualBox SF Driver Ejected From The Linux 5.4 Kernel

    Merged to the mainline Linux kernel last week was a driver providing VirtualBox guest shared folder support with the driver up to now being out-of-tree but important for sharing files between the host and guest VM(s). While the driver was part of Linux 5.4-rc7, Linus Torvalds decided to delete this driver on Tuesday.

    The VirtualBox Shared Folder (VBOXSF) driver will not be part of the mainline Linux 5.4 kernel. Linus was unhappy that it didn't have the necessary sign-offs plus that it's coming late in the cycle and not appearing to meet quality expectations.

  • The Linux Kernel Disabling HPET For Intel Coffee Lake

    Another Intel change being sent off for Linux 5.4 and to be back-ported to current stable series is disabling of HPET for Coffee Lake systems.

    Due to bug reports going back at least a half-year and workarounds not panning out, kernel developers have decided to blacklist the High Precision Event Timer (HPET) on Coffee Lake systems.

    Some Coffee Lake systems have a skewed HPET timer when entering the PC10 power state and that in turn marks the time stamp counter (TSC) as unstable.

LibreOffice 6.4 Branched - Beta Release Underway With QR Code Generator, Threading Improvements

Filed under
LibO

As of this morning LibreOffice 6.4 was branched from master and the beta release tagged with those LO 6.4 Beta binaries expected out shortly.

LibreOffice 6.4 remains on schedule for releasing either at the end of January or first days of February. The LibreOffice 6.4 Beta release is making it on time while this branching also marks the hard feature freeze for the next installment of this open-source cross-platform office suite.

Read more

RipMe Is An Easy To Use Bulk Image Downloader (GUI And CLI)

Filed under
Software

Need to download all images in an online album and don't want to click each image to save it to your computer? Try RipMe, a Java tool with both graphical and command line interfaces, to mass download images from various sources.

RipMe runs on macOS, Linux and Windows, and it can download all images in an album by just entering the album link. It supports popular websites like Imgur, Instagram, Reddit (you can download all the images of a subreddit or all the images submitted by an user), Flickr, Twitter, Tumblr, DeviantArt, and more.

Read more

The Firefox + Chrome Web Browser Performance Impact From Intel's JCC Erratum Microcode Update

Filed under
Graphics/Benchmarks

With yesterday's overview and benchmarks of Intel's Jump Conditional Code Erratum one of the areas where the performance impact of the updated CPU microcode exceeding Intel's 0~4% guidance was on the web browser performance. Now with more time having passed, here are more web browser benchmarks on both Chrome and Firefox while comparing the new CPU microcode release for the JCC Erratum compared to the previous release. Simply moving to this new CPU microcode does represent a significant hit to the web browser performance.

In this article is just a look at how the updated CPU microcode for the JCC Erratum affects the Mozilla Firefox and Google Chrome web browser performance. This article isn't looking at any impact from the also new Zombieload TAA mitigation (that's coming in a separate article shortly) or anything else but simply benchmarking both of these web browsers with the old and new CPU microcode on a Skylake-X system.

Read more

Security: Scare, Onion and Listening Devices

Filed under
Security
  • Yes, if you install malicious programs, then they will likely do malicious things [Ed: Yes, if you install malicious programs, then they will likely do malicious things]

    The researchers determined that parts of a specific component used by Cobalt in the third stage of an attack are present in PureLocker. It is the JScript loader for the "more_eggs" backdoor, described by security researchers at Morphisec.

    In previous research, IBM X-Force revealed that FIN6, another cybercriminal group targeting financial organizations, also used the "more_eggs" malware kit.

    Most of the code in PureLocker is unique, though. This suggests that the malware is either a new one or an existent threat that has been heavily modified.

  • What is Security Onion? And is it better than a commercial IDS?

    Back in the early oughts, a common complaint about Linux was that while it was free/libre, it came with no support and you had to pay expensive senior sysadmins to run Linux systems. Fast forward to today, and Linux has conquered basically every field except for the desktop market.

    [...]

    Security Onion is looking more and more polished with every year that passes, and it may be worth considering if you've got a deep enough security bench to customize, deploy and maintain Security Onion for your enterprise.

  • Fooling Voice Assistants with Lasers

    Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.

    Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). Because voice-controlled systems often don’t require users to authenticate themselves, the attack can frequently be carried out without the need of a password or PIN. Even when the systems require authentication for certain actions, it may be feasible to brute force the PIN, since many devices don’t limit the number of guesses a user can make. Among other things, light-based commands can be sent from one building to another and penetrate glass when a vulnerable device is kept near a closed window.

    The attack exploits a vulnerability in microphones that use micro-electro-mechanical systems, or MEMS. The microscopic MEMS components of these microphones unintentionally respond to light as if it were sound. While the researchers tested only Siri, Alexa, Google Assistant, Facebook Portal, and a small number of tablets and phones, the researchers believe all devices that use MEMS microphones are susceptible to Light Commands attacks.

Canonical Donates More Ubuntu Phones to UBports and You Can Get One Right Now

Filed under
Ubuntu

Once again, Canonical decided to donate even more Ubuntu Touch devices to UBports, but this time there's even better news for those interested in contributing to the development of Ubuntu Touch, the mobile OS created by Canonical for Ubuntu Phones, which is now entirely maintained by the UBports Foundation.

This time, UBports decided to donate the Ubuntu Touch devices, which consists of two dozen BQ Aquaris E4 phones, two BQ Aquaris M10 tablets, one Meizu MX4 phone, and several other we can't identify, to any developer interested in joining the Ubuntu Phone movement and contribute to the development of Ubuntu Touch.

Read more

Automation controller switches to Real-time Linux

Filed under
Linux

WAGO has converted to Linux for its second-gen “PFC200” controller. The 1GHz Cortex-A8 device, which has an e!COCKPIT CODESYS V3 runtime in addition to Real-time Linux, offers dual 10/100 Ethernet, a serial port, and connections to the modular WAGO-I/O-System fieldbus modules.

WAGO has switched over to Linux for the second-gen version of its PFC200 Controller for Programmable Logic Controller (PLC) applications, although it continues to offer its e!COCKPIT CODESYS V3 runtime environment and development environment for traditional CODESYS programming. The system is designed to support its modular WAGO-I/O-System of I/O modules, which we were reporting on as early as 2007 back at the old LinuxDevices site in regard to its integration with Kontron’s ThinkIO-Duo computer. WAGO also announced that a similarly Real-time Linux based PFC200 BACnet/IP Controller will arrive in mid-2020.

Read more

Syndicate content

More in Tux Machines

Audiocasts/Shows: FLOSS Weekly and Linux Headlines

  • FLOSS Weekly 555: Emissions API

    Emissions API is easy to access satellite-based emission data for everyone. The project strives to create an application interface that lowers the barrier to use the data for visualization and/or analysis.

  • 2019-11-13 | Linux Headlines

    It’s time to update your kernel again as yet more Intel security issues come to light, good news for container management and self-hosted collaboration, and Brave is finally ready for production.

Bill Wear, Developer Advocate for MAAS: foo.c

I remember my first foo. It was September, 1974, on a PDP-11/40, in the second-floor lab at the local community college. It was an amazing experience for a fourteen-year-old, admitted at 12 to audit night classes because his dad was a part-time instructor and full-time polymath. I should warn you, I’m not the genius in the room. I maintained a B average in math and electrical engineering, but A+ averages in English, languages, programming, and organic chemistry (yeah, about that….). The genius was my Dad, the math wizard, the US Navy CIC Officer. More on him in a later blog — he’s relevant to what MAAS does in a big way. Okay, so I’m more of a language (and logic) guy. But isn’t code where math meets language and logic? Research Unix Fifth edition UNIX had just been licensed to educational institutions at no cost, and since this college was situated squarely in the middle of the military-industrial complex, scoring a Hulking Giant was easy. Finding good code to run it? That was another issue, until Bell Labs offered up a freebie. It was amazing! Getting the computer to do things on its own — via ASM and FORTRAN — was not new to me. What was new was the simplicity of the whole thing. Mathematically, UNIX and C were incredibly complex, incorporating all kinds of network theory and topology and numerical methods that (frankly) haven’t always been my favorite cup of tea. I’m not even sure if Computer Science was a thing yet. But the amazing part? Here was an OS which took all that complexity and translated it to simple logic: everything is a file; small is beautiful; do one thing well. Didn’t matter that it was cranky and buggy and sometimes dumped your perfectly-okay program in the bit bucket. It was a thrill to be able to do something without having to obsess over the math underneath. Read more Also: How to upgrade to Ubuntu 20.04 Daily Builds from Ubuntu 19.10

Intel is Openwashing With 'OpenVINO'

Desktop GNU/Linux: Ubuntu 20.04, Slackware Live Plasma5 edition ISO and Latest ZDNet Clickbait