The Linux Ninja

Eric Paris of the SELinux project announced the creation of the SELinux sandbox, a method to confine untrusted binaries on the LKML today.

The idea is to allow administrators to lock down tightly untrusted applications in a sandbox where they can not use the network and open/create any file that is not handed to the process. Can be used to protect a system while allowing it to run some untrusted binary.

This definitely appears to be an interesting new development for SELinux. A great place to run suspect code or maybe even windows binaries via WINE.
I’ve used SELinux a little bit in the past, but usually found it incredibly complex to learn for the basic home network uses I wanted to have it for. This new feature may get me to put some real effort towards actually making the leap and committing myself to learn how to properly implement and use it.
Related books:

• SELinux by Example by Frank Mayer, David Caplan, and Karl MacMillan, published by Prentice Hall
• SELinux by Bill McCarty, published by O’Reilly & Associates

Anthony Lineberry is presenting a new linux kernel rootkit technique at the BlackHat conference in Amsterdam. From the article:

This offers rootkit developers a new way to hide files or processes, or interfere with network traffic. The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory. For example XServer and DOSEmu, both use it. Lineberry says introducing rootkits via /dev/mem is also less obvious than the established route via loadable kernel modules (LKMs).

….

Lineberry also gives some tips on how the Linux world can protect itself against rootkits of this kind. He believes it should be enough to modify the memory driver so that it doesn’t allow the write/read pointer lseek to look for more than 16 kilobytes in the memory area. Current versions of Red Hat and Fedora are inherently secure, because their kernel already incorporates the features of SELinux (Security Enhanced Linux).

Lineberry says there are also corresponding improvements in version 2.6.26 of the mainline kernel. For that purpose, the kernel was given two new functions: range_is_allowed() and devmem_is_allowed(). But this protection, he says, won’t be effective unless the preprocessor directive CONFIG_STRICT_DEVMEM has been enabled when the kernel is compiled. Otherwise, range_is_allowed() always gives returns success. Lineberry says that the kernel configuration setting STRICT_DEVMEM, which sets CONFIG_STRICT_DEVMEM, is not activated by default during kernel compilation. He was unable to say when libmemrk would be available for downloading, as he was still engaged in eliminating its last weaknesses.

Using /dev/mem was previously theorized in a  Phrack article about using /dev/kmem, but Lineberry is the first to implement this technique.

Time to start recompiling my gentoo kernels!

Earlier  this evening, Linus Torvalds announced the availability of the 2.6.29 version of the Linux kernel.

This version contains many changes including changing the mascot to Tuz the Tasmanian Devil in an effort to bring awareness to  and raise money for the plight of tasmanian devils in Australia during the 2009 linux.conf.au conference. Tasmanian devils are endangered and are currently afflicted with a form of communicable cancer.

Other major changes include the inclusion of the Btrfs filesystem. This filesystem is a “next-gen filesystem” that tries to “focus on fault tolerance, repair and easy administration”, but it is still in the development phase. Ext4 also received some updates and SquashFS, primarily used in embedded devices, also enters the mainline kernel. Another major addition is an 802.17 WiMax stack, eCryptfs filename encryption, and many updated and new hardware drivers.
As always new kernel versions can be downloaded from kernel.org and the full changelog can be found here.

Patrick McHardy announced the release of the first public version of NFTables on the NetFilter development list and Linux kernel net development list. From the announcement:

The kernel provides a netlink configuration interface, as well as runtime ruleset evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel, the nftables frontend is what the user interacts with.

Patrick  goes on to give in depth information on the new implementation and highlighting the differences between the new NFTables interface and the existing NetFilter interface. I recommend at least skimming over the post if you use IPTables/NetFilter on a regular basis so you can see what may be coming down the line.

IBM developerWorks has a good article on the anatomy of the ext4 filesystem. The ext filesystem was recently included in the stable 2.6.28 Linux kernel release, so now is a good time to learn more about one of the Linux filesystems of the future. (The Fedora project announced that ext4 would be the default filesystem in their Fedora 11 final release).

Further reading for ext4:

• Kernel Newbies page on ext4 Features
• Phoronix Real World Benchmarks of The Ext4 File-System