Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Linux

Linus Torvalds Approves New Kernel 'Lockdown' Feature (zdnet.com) 86

"After years of countless reviews, discussions, and code rewrites, Linus Torvalds approved on Saturday a new security feature for the Linux kernel, named 'lockdown'," reports ZDNet: The new feature will ship as a LSM (Linux Security Module) in the soon-to-be-released Linux kernel 5.4 branch, where it will be turned off by default; usage being optional due to the risk of breaking existing systems. The new feature's primary function will be to strengthen the divide between userland processes and kernel code by preventing even the root account from interacting with kernel code -- something that it's been able to do, by design, until now.

When enabled, the new "lockdown" feature will restrict some kernel functionality, even for the root user, making it harder for compromised root accounts to compromise the rest of the OS... "When enabled, various pieces of kernel functionality are restricted," said Linus Torvalds, Linux kernel creator, and the one who put the final stamp of approval on the module yesterday. This includes restricting access to kernel features that may allow arbitrary code execution via code supplied by userland processes; blocking processes from writing or reading /dev/mem and /dev/kmem memory; block access to opening /dev/port to prevent raw port access; enforcing kernel module signatures; and many more others, detailed here.

This discussion has been archived. No new comments can be posted.

Linus Torvalds Approves New Kernel 'Lockdown' Feature

Comments Filter:
  • by phantomfive ( 622387 ) on Sunday September 29, 2019 @10:39PM (#59251504) Journal
    This is like saying "suck it" to GRSecurity. Not that GRSecurity was ever secure, but that's a different question.

    It is a little concerning that there is yet another security ring, but we already have so many that that argument has been lost. Elegance is gone (and yet another layer of security won't make things secure).
    • by AHuxley ( 892839 )
      When did the elegance start to fail?
      Was it to keep up with CPU, GPU changes?
      Who still makes a great OS that is secure?
      • At the 2.6 kernel I think things changed. I think because at that point Linux became popular and everyone wanted to add new features. More generally, as an industry, I think we've always been a bunch of inelegant Snobol programmers.
    • by That Ordinary Guy ( 6159720 ) on Monday September 30, 2019 @01:03AM (#59251716)

      This is like saying "suck it" to GRSecurity. Not that GRSecurity was ever secure, but that's a different question.

      It is a little concerning that there is yet another security ring, but we already have so many that that argument has been lost. Elegance is gone (and yet another layer of security won't make things secure).

      Well, it seems like good news to me, but, as with any new feature, I will wait for a while before using it to let others test it. Good decision to disable it by default too.

      Regarding GRSecurity, I am not sure it is like saying "suck it" to them, in the short term at least. In fact, SELinux , AppArmor, Grsecurity , etc. will probably use that new feature while adding on top of it. Nevertheless, I have to admit that this will cause them to reevaluate the pertinence of their existence in the long term.

      A much simpler use case parallel would be Trumpet Winsock that eventually went dead when Microsoft finally realized that they had to implement an IP stack themselves natively. This was a funny era where people were trying to compete the Internet and had other plans, Microsoft included . The French government even deployed Minitel to compete the Internet and it eventually went dead as well.

      https://en.wikipedia.org/wiki/... [wikipedia.org]
      https://en.wikipedia.org/wiki/... [wikipedia.org]

      • Minitel was great though haha
      • by _merlin ( 160982 ) on Monday September 30, 2019 @06:38AM (#59252056) Homepage Journal

        The public Internet wasn't really a thing when Minitel began roll-out in 1980 - there were experimental IP connections between universities, but not much else. Home computers available at the time would have had a hard time running a full IP stack. There were lots of dial-up information services before the Internet really took hold in the mid '90s. You can't really fault France Telecom for rolling out a service that was useful at the time, and continued to be for over a decade.

        • That's how people connected on the Internet back then. They'd call up a university and then let their computers handle the rest.
          • by Dunbal ( 464142 ) *
            And everything was X.25.
          • Yes, but that was using a remote shell account (which is what some early US ISPs had as their main offering), or like USENET. When home computers got powerful enough to really have even a basic IP stack was when things started taking off I think, as you could have local applications.

            I find it somewhat ironic that Microsoft dragged their feet so long when it was clear that this was the way networking was going to go. The competing Windows networking solutions were clearly designed and intended for tiny netw

      • A much simpler use case parallel would be Trumpet Winsock that eventually went dead when Microsoft finally realized that they had to implement an IP stack themselves natively.

        Microsoft had their own IP stack for Windows 3.1, but Trumpet (and other winsocks) kept going throughout its lifespan because users didn't know it existed for the most part. The fastest stack for Windows 3.1 was TGV's. TGV was working on a high performance stack for Windows 95 (even though it came with a stack, it wasn't very good) when they were bought out by Cisco and turned into a cable modem dev lab.

    • by AmiMoJo ( 196126 )

      I was thinking it sounds an awful lot like what Microsoft introduced with Windows Vista, and refined to its current state in Windows 10.

      • I was thinking the same thing. This sounds a bit like UAC.

        • Can UAC actually do anything remotely like this, because I thought it was the opposite. I thought UAC allowed you to do Administrator things while logged in as a non-admin user, by popping up a dialog that asks for the Administrator password.

          Which, btw, provides a fun opportunity. Write a little script that pops up a dialog that looks like the UAC dialog whenever the user clicks on a program they haven't used recently. The user is accustomed to habitually typing in the admin password, so instant privileg

  • by p$$w0rd1 ( 4679597 ) on Sunday September 29, 2019 @10:59PM (#59251524)
    Sound like Linus is beefing up Linux security from Poettering's systemd.
  • This is much the same as putting a BIOS password in hardware/firmware on a PC. Once it exists, it MUST be used or at least protected. If you leave a laptop laying around with no BIOS password the first person who wants to can lock it down to themselves. If the facility for lockdown exists, it must be possible to lock malevolent players from activating it.

    Once the 'lockdown' is built into the system, it's mandatory.

    • It's not, it never is.

      The ONLY design intent is to remover user control and not anything else. No matter what BS they try to blow up everyone's skirts this is the only purpose behind it.

      This fits right into the principal of "giving up liberty for a little temporary safety, makes you undeserving of either that liberty or safety".

      There is a reason why everyone's phones are easily hacked and why everyone is easily spied upon.

      • Would that reason be so the hot nanny can send nudes while the big bad wolf comes in from the southland to devour us both?
  • by demon driver ( 1046738 ) on Sunday September 29, 2019 @11:44PM (#59251606) Journal

    Any interferences between the two?

  • by rev0lt ( 1950662 ) on Monday September 30, 2019 @12:08AM (#59251634)
    So new versions of the linux kernel finally get some sort of securelevels, huh?
  • This is shipped in literally millions of devices... i.e. paranoid networking maybe time to get mainstream...

  • Linus Torvalds finally begins to appreciate the microkernel approach. :-)
    • by Viol8 ( 599362 )

      Microkernels look great on a whiteboard in a university lecture, but in the real world they absolutely suck. They're horrendously slow and complicated and that's why no mainstream OS uses them.

      • by Bengie ( 1121981 )
        Slow, yes. But complicated? Microkernels, at least the popular ones, have nearly all of their drivers in user land, where the code is greatly simplified. You can't even use SIMD instructions in the kernel because that would require capturing more registers on context switch. At least with currently CPU architecture, heavy context switching destroys CPU performance, but there are basic features to reduce the impact and there's no reason more features added. The main cost to context switching is virtual memor
        • Yes, indeed. Microkernels are so simple they've never worked. Mach uses a hybrid microkernel, not a pure microkernel. I don't think there is a modern, working microkernel anywhere in the world that runs an entire operating system.

          • by Bengie ( 1121981 )
            Yes well, there are no true circles in the world either. Just because the ideal is so perfect that it is impossible doesn't mean a rough equivalent can't be good enough.
            • Are there any that come even _close_ to running a complete operating system? Network, graphics, and storage? HURD and Minix never managed it successfully enough to use.

              • by Bengie ( 1121981 )
                Redox is a micro-kernel whole OS in Rust, including a ZFS like FS, all put together in not much time for the amount of features.
  • If even a root process can't create a raw socket (I assume thats what is meant by a raw port) then how will programs such as tcpdump and other network monitoring utils work? Also anything that needs to read or write raw ethernet frames is buggered. Also not everything can be found in /proc or /sys and sometimes accessing /dev/kmem can be useful.

    • If even a root process can't create a raw socket (I assume thats what is meant by a raw port)

      It's not, it refers to raw access to physical (e.g. serial or parallel) ports (and not via TTY devices such as /dev/ttyS0), see e.g. https://linux.die.net/man/4/po... [die.net] or http://tldp.org/HOWTO/IO-Port-... [tldp.org]

      sometimes accessing /dev/kmem can be useful.

      Then boot with lockdown="" when you want to use it, but let's not let malicious code do that any time it wants.

  • So Linux is finally reading the Windows security playbook from 15 years ago?

  • i'm wondering how this will impact custom roms/images development.
    not specifically talking about phones here, but just 'devices' in general.
    in a lot of cases these were 'cracked' by a flaw somewhere, which then allowed full access and the ability to re-flash the OS with something the community has made, but is 10x better with regards to features, security and stability.
    now imagine all such devices come with this feature enabled, that will make life a lot more difficult to truely open up these devices.

  • Long live Linux.
  • Ahem, excuse me... "rootless."

  • Sandwiches (Score:4, Funny)

    by reanjr ( 588767 ) on Monday September 30, 2019 @08:42AM (#59252298) Homepage

    $ make me a sandwich

    access denied

    $ sudo make me a sandwich

    access denied :(

  • Isnâ(TM)t the best way to secure your system to fully understand how it works? :/ As far as I can see, this only makes this harder, with new subsystems and boot options that will rarely be used but are very important to use correctly when you first need them.
  • https://man.openbsd.org/secure... [openbsd.org]
    So it took only 20 years for Linux to copy OpenBSD's securelevel(7)
    nice ...

Avoid strange women and temporary variables.

Working...