LWN.net Logo

Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BSD-style securelevel comes to Linux — again

BSD-style securelevel comes to Linux — again

Posted Sep 13, 2013 8:56 UTC (Fri) by dlang (✭ supporter ✭, #313)
In reply to: BSD-style securelevel comes to Linux — again by ernest
Parent article: BSD-style securelevel comes to Linux — again

there are good reasons to upgrade the kernel, but are there good reasons to upgrade the kernel without being willing to upgrade anything else?

remember, this isn't the home user we are talking about here, this is someone who is trying to lock down the system in a way that even root can't change it.

anyone going to that much effort isn't going to be randomly upgrading one component.

(Log in to post comments)

BSD-style securelevel comes to Linux — again

Posted Sep 13, 2013 19:36 UTC (Fri) by khim (subscriber, #9252) [Link]

there are good reasons to upgrade the kernel, but are there good reasons to upgrade the kernel without being willing to upgrade anything else?

Depends on your definition of “anything”. Kernel is often upgraded if you need/want to support new hardware capabilities. Sometimes you then need to upgrade some low-level components (things like modproble), but you don't expect to change the setup of the whole system just because you've installed new CPU and want to use AVX512 in your programs.

BSD-style securelevel comes to Linux — again

Posted Sep 14, 2013 1:26 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]

remember that we are not talking about POSIX capabilities that your programs all need to know about.

We are talking about features that you can turn off to lock your machine down (protecting it even from root)

I would expect that there will be one program to do this, and it will probably be executed exactly once per boot cycle. (unless it's a developers machine)

So saying that if you upgrade the kernel and are trying to lock down the machine, you need to check for new lockdown flags that may have been introduced and decide if you want them doesn't seem at all unreasonable to me. In fact, it sounds like what would happen anyway with anyone competent dong a kernel upgrade, you would check new kernel compile options to see if something new pops up that may be a problem.

Look at the namespace features for a perfect example.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds