Linux 4.6 boosts container security, adds OrangeFS support
May 17, 2016
Shah Sheikh (1294 articles)

Linux 4.6 boosts container security, adds OrangeFS support

As promised, Linux boss Linus Torvalds released version 4.6 of the Linux kernel on Sunday. This latest version adds support for the new distributed file system OrangeFS, more reliable out-of-memory handling, support for 802.1AE MACsec (MAC-level encryption), and support for Intel memory protection keys.

“It’s just as well I didn’t cut the rc cycle short, since the last week ended up getting a few more fixes than expected, but nothing in there feels all that odd or out of line,” Torvalds wrote on the mailing list.

Linux 4.6 has improved support for cgroup namespaces, which is particularly important for container security. Without the namespace, the /proc/$PID/cgroup file shows the complete path of the process’s cgroup, said Serge Hallyn, the Ubuntu developer who worked on the kernel.

“In a container setup where a set of cgroups and namespaces are intended to isolate processes, the /proc/$PID/cgroup file may leak potential system-level information to the isolated processes,” Hallyn wrote. The namespace provides a mechanism to virtualize the view of the file and cgroup mounts.

The kernel improved networking security with its implementation of MACsec/IEEE 802.1AE. “This driver provides authentication and encryption of traffic in a LAN, typically with GCM-AES-128, and optional replay protection,” wrote Sabrina Dubroca, the Linux kernel developer behind this implementation.

In the runup to the 4.6 release, Linux Foundation Fellow Greg Korah-Hartmandiscussed how administrators need to regularly update the kernel to stay on top of the latest fixes. “We’re fixing about 10 bugs in the kernel every day. Not all of them are security issues, but sometimes the big problem is we don’t know if an issue is a security issue or not,” he said.

The comments outraged Brad Spangler, a kernel developer behind Grsecurity, who noted that many of the fixes and the improvements in the kernel lag behind what he and other developers already offer.

That’s a legitimate comment, but so long as those security patches don’t get added to the mainline kernel, which Spangler and other developers have shown no interest in doing, it stands to reason that the mainline kernel will lag behind overall security efforts.

However, if kernel security developers don’t commit those changes into the mainline kernel, then the kernel will continue to lag behind the security team.

The 4.6 kernel was a big release — “more commits than we’ve had in a while,” Torvalds said — but since it was released in time, Torvalds expects to being work on 4.7 right away.

Source | InfoWorld