[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Kernel page.

Kernel development


Substitute editor's introduction. Watching the linux-kernel mailing lists is a task left to those with an interest in which bits fly across an ether, not whether or not those bits look green or blue (as we desktop nerds prefer). So when Jon asked me to fill in for him on the Kernel page this week I felt a tang of distaste. Wondering whether BIG_BUF_OVERFLOW_MASSIVE_CRASH_HELP is supposed to be an unsigned long or int in the scheduler is tantamount to a master chef asking me if a teaspoon or two of salt belongs in the Quiche. Me, a man who spends most of his fine dining at McDonald's and The New Emperor's Chinese All You Can Eat Buffet and spends weekends popping excessive amounts of salt tablets after rather exhausting rounds of Putt-Putt golf. I stand emphatically and pronounce "Make it an unsigned long" and walk away proud to know that I will never know if it made a difference or not. It had no color. It wasn't important.

Unfortunately, on this page, for those millions of loyal readers of Jon's weekly summaries and analysis - and for those who know it really did have color - it does matter. And so I'll taste the Quiche (and check which bits have been twiddled) once again. Bleck.

The current development kernel release is 2.4.0-test12. Linus posted 2.4.0-test12, the latest in the pre-2.4.0 series, on Monday. The first prepatch for 2.4.0-test13 is out; it is a small patch consisting entirely of makefile changes.

The current stable kernel release is 2.2.18. Alan Cox has posted the release notes for the 2.2.18 kernel release. The major thrust for the i386 line has been support for processors running in excess of 2GHz, support for the CyrixIII processor and also basic support for the Pentium IV. A slew of memory leaks were also cleaned up, including some in the popular bttv driver (the primary driver used for PC-based TV cards). That driver was also updated to allow subwindow clipping.

Looking forward to 2.2.19, Alan Cox has indicated that he will look at incorporating some virtual memory fixes. Evidently the (much improved) 2.4 VM has impressed him, but he plans to make 2.2 be even faster. Linus took the challenge: "You and me. Mano a mano." It should be fun...

Disk corruption problems found? Andre Hedrick, maintainer of the IDE subsystem, has evidently found the cause of occasional disk corruption reports. It appears there is a "feature" in the IDE DMA implementation that stops a DMA operation if there is a delay of one microsecond or more. The current crop of large drives may be more inclined toward this sort of delay, and may be behind some of the current complaints.

Fixing the problem may take some work; Andre has three possible alternatives. The third one, however, is "give up and go to bed," which may not appeal to all users...

Pentium 4 and Linux Distributions. An article posted on C|Net News.com (from an original posting on LinuxGram) noted that support for Intel Pentium 4 processors was not being included in most current Linux distributions, with Red Hat and TurboLinux being the exceptions. The problem wasn't with Intel, however - that company had provided the appropriate CPUID information to the major distributors some time back. Instead, the distributors had decided, for one reason or another, not to include support for that processor.

Caldera's [vice president of engineering Darren] Davis basically agreed with [Intel's P4 spokesman George] Alfs' characterization, noting that "Intel gave us all the (Pentium 4) information we needed."

Interestingly enough, the release notes for the 2.2.18 release from Alan Cox included this bit of information about the Pentium IV:

Unfortunately Intel chose to ignore all precedent in model numbering via cpuid and report a family of '15'. This sudden jump broke assumptions in the kernel tree without any warning. Intel have failed to provide good reasons for their change. We have chosen to continue to report the Pentium IV as a '686' class processor. The full family data is provided via cpuinfo.

This sort of makes you wonder just who had the information, who actually wanted the information and why, if it really was available, it really wasn't used.

Not long after noting the C|Net News.com article on the LWN.net Daily Page, we received the following note from a SuSE employee:

SuSE provides an updated installation floppy image at

ftp://ftp.suse.com/pub/suse/i386/update/7.0/kernel/pentium4/

Just dump this on a boot floppy using rawrite.exe or "dd" as stated in the manual and use this [floppy] for the inital installation. After installing the system, replace the file /boot/vmlinuz with the file "linux" on the floppy disk and rerun LILO.

In fact, we have sent this floppy image and RPM patches to Intel about three weeks ago.

It was unclear whether News.com had contacted SuSE (or any other distributions) to clarify the issue.

Rule Set Based Access Control (RSBAC). On Monday, Amon Ott posted the announcement of the release of version 1.1.0 of the Rule Set Based Access Control (RSBAC). RSBAC is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) by Abrams and LaPadula and provides a flexible system of access control based on several modules. Essentially, RSBAC interposes a central decision maker between an application and the system calls it makes; rules may be applied to any system call which determine whether the call is actually allowed to execute or not.

In the current RSBAC version (1.1.0), eight modules are included:
MAC Bell-LaPadula Mandatory Access Control (limited to 64 compartments)
FC Functional Control. A simple role based model, restricting access to security information to security officers and access to system information to administrators.
SIM Security Information Modification. Only security administrators are allowed to modify data labeled as security information
PM Privacy Model. Simone Fischer-Huebner's Privacy Model in its first implementation.
MS Malware Scan. Scan all files for malware on execution (optionally on all file read accesses or on all TCP/UDP read accesses), deny access if infected. Currently the Linux viruses Bliss.A and Bliss.B and a handfull of others are detected.
FF File Flags. Provide and use flags for dirs and files. Only security officers may modify these flags.
RC Role Compatibility. Defines (up to) 64 roles and 64 types for each target type (file, dir, dev, ipc, scd, process). For each role compatibility to all types and to other roles can be set individually and with request granularity.
AUTH Authorization enforcement. Controls all CHANGE_OWNER requests for process targets, only programs/processes with general setuid allowance and those with a capability for the target user ID may setuid. Capabilities are controlled by other programs/processes.
ACL Access Control Lists. For every object there is an Access Control List, defining which subjects may access this object with which request types.
More information on this new facility are available at the RSBAC Web site.

kORBit - the Linux kernel CORBA ORB. Here is one of the more interesting kernel patches we have seen go by for a while: kORBit is a CORBA object request broker (ORB) which runs in the Linux kernel. It allows kernel extensions to be written as CORBA objects. Possible applications, from the announcement, include:

  • Through the use of a LD_PRELOAD'd syscall wrapper library, you can forward system calls through CORBA to an arbitrary local/remote machine.

  • We can now write device drivers in perl, and let them run on the iMAC across the hall from you.
Despite that last one, this development appears to be for real. They do warn, however, that "security is completely unimplemented." Don't hold your breath waiting for this one to get into the mainline kernel...

Other patches and updates released this week include:

  • Gary Lawrence Murphy has posted another in his monthly calls for assistance with his "KernelWiki" documentation project.

  • Keith Owens has released modutils 2.3.22. Among other things, it includes support for persistent module data. Note, however, that this version of modutils breaks with some 2.2 kernels, and should probably not be used by people running 2.2.

  • Peter Braam has announced version beta 0.93 of the InterMezzo high-availability filesystem.

  • ext3-0.0.5c, the latest development version of Stephen Tweedie's journaling filesystem, was released.

  • Eric Raymond has released version CML2-0.9.0. This release uses Python 2.0 instead of 1.5.2, which according to Eric saves him close to 600 lines of code. Also included is automatic deduction of correct side-effects whenever a configuration symbol is changed.

  • Chris Norris released a patch to the libraw1394 library that provides a single set of handlers per 1394 port for FCP, BusReset, Tag, and Iso receive events. It also includes a function which retrieves the port number a handle was set to.

  • The international crypto kernel patch 2.2.18.3 was released (versions .1 and .2 had some compatibility problems). This is simply a port of 2.2.17.10 to the new upstream kernel release. It contains none of the changes in 2.2.17.11pre1, but patches cleanly against the new kernel.

Section Editor: Michael J. Hammel


December 14, 2000

For other kernel news, see:

Other resources:

 

Next: Distributions

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds