Language Selection

English French German Italian Portuguese Spanish

Kernel: Linux Lockdown and XFS File-System

Filed under
Linux
  • Matthew Garrett: Making hibernation work under Linux Lockdown

    Linux draws a distinction between code running in kernel (kernel space) and applications running in userland (user space). This is enforced at the hardware level - in x86-speak[1], kernel space code runs in ring 0 and user space code runs in ring 3[2]. If you're running in ring 3 and you attempt to touch memory that's only accessible in ring 0, the hardware will raise a fault. No matter how privileged your ring 3 code, you don't get to touch ring 0.

    Kind of. In theory. Traditionally this wasn't well enforced. At the most basic level, since root can load kernel modules, you could just build a kernel module that performed any kernel modifications you wanted and then have root load it. Technically user space code wasn't modifying kernel space code, but the difference was pretty semantic rather than useful. But it got worse - root could also map memory ranges belonging to PCI devices[3], and if the device could perform DMA you could just ask the device to overwrite bits of the kernel[4]. Or root could modify special CPU registers ("Model Specific Registers", or MSRs) that alter CPU behaviour via the /dev/msr interface, and compromise the kernel boundary that way.

    It turns out that there were a number of ways root was effectively equivalent to ring 0, and the boundary was more about reliability (ie, a process running as root that ends up misbehaving should still only be able to crash itself rather than taking down the kernel with it) than security. After all, if you were root you could just replace the on-disk kernel with a backdoored one and reboot. Going deeper, you could replace the bootloader with one that automatically injected backdoors into a legitimate kernel image. We didn't have any way to prevent this sort of thing, so attempting to harden the root/kernel boundary wasn't especially interesting.

  • XFS File-System With Linux 5.12 Has "A Lot Going On This Time" - Phoronix

    XFS maintainer Darrick Wong characterized the file-system driver changes for Linux 5.12 as "a lot going on this time, which seems about right for this drama-filled year."

    On the feature front for Linux 5.12, this mature file-system has seen work to speed up freezing when read-only workloads are still running, refactoring to the logging code, faster fsync and garbage collection scans, and continued work towards being able to support shrinking XFS file-systems.

Garrett: Making hibernation work under Linux Lockdown

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

  • How to use the W3M text-based web browser on Linux

    Do you need a text-based web browser on Linux to use in your terminal? Don’t like using Lynx, as it seems dated and sluggish? Hoping for something better? Check out W3M. It’s a modern text-based terminal web browser for Linux that has much more to offer.

  • How to Install or Enable Cockpit on AlmaLinux 8 - Linux Shout

    The Cockpit on AlmaLinux is a server management platform that allows administrators to easily manage and control their GUI or CLI Linux server systems remotely using a browser. Among other things, admins can take a look at the systemd journal, check the load or start and stop services. It has a responsive design thus we can also use it conveniently on tablet s and smartphones. We can monitor our remote server performance using just a browser without actually having physical access to it. Furthermore, we can also access the command shell with root access to issue commands and install various packages over the server remotely. Since AlmaLinux 8 is based on RHEL just like CentOS 8, this means by default out of the box, the Cockpit is already installed on your system. Just we need to enable it.

  • How to Export and Delete Saved Passwords in Firefox - Make Tech Easier

    Firefox comes with a built-in password manager, also known as Lockwise. The Lockwise password manager is safeguarded with your Firefox account and allows you to access your passwords on the desktop and mobile. If you have been using Lockwise but now want to migrate to another password manager app, here we show how you can export and delete your saved passwords in Firefox.

  • How to Install Docker on Ubuntu Linux

    Docker has taken the software engineering industry by storm, and it has not only revolutionized the way we ship and deploy software but has also changed how engineers set up software development environments on their computers. This guide shows you how to get started with Docker by installing it on Ubuntu Linux 20.04 (Focal Fossa), the latest Long Term Support (LTS) version of Ubuntu at the time of this writing.

EndeavourOS: Our April release is available

We are proud to announce our second release of 2021 and this one is a bit more than a refresh ISO release, so before you hit the download button and go play with it, just sit back and let us inform you first because we are really excited about this release. [...] The other new feature on the knowledge base are video tutorials, like the wiki articles, this category will expand over time and at the moment it contains general Linux and Arch specific tutorials from the Youtube channels Chris Titus Tech and EF Linux. Very soon videos from DistroTube, Eric Adams and TechHut will also be added to enhance the experience. Read more

Zorin OS 16 Beta Released with Remarkable Changes. Download and Test Now.

The Zorin OS team announced the release of the Zorin OS 16 Beta which is immediately available for download and testing. With this pre-release, Zorin OS promises some massive changes. Let's take a look. Read more

Android Leftovers