Ubuntu

01 Oct 2016

Planet Ubuntu

Kees Cook: security things in Linux v4.6

The v4.6 Linux kernel release included a bunch of stuff, with much more of it under the KSPP umbrella.

seccomp support for parisc

Helge Deller added seccomp support for parisc, which including plumbing support for PTRACE_GETREGSET to get the self-tests working.

x86 32-bit mmap ASLR vs unlimited stack fixed

Hector Marco-Gisbert removed a long-standing limitation to mmap ASLR on 32-bit x86, where setting an unlimited stack (e.g. "ulimit -s unlimited") would turn off mmap ASLR (which provided a way to bypass ASLR when executing setuid processes). Given that ASLR entropy can now be controlled directly (see the v4.5 post), and that the cases where this created an actual problem are very rare, means that if a system sees collisions between unlimited stack and mmap ASLR, they can just adjust the 32-bit ASLR entropy instead.

x86 execute-only memory

Dave Hansen added Protection Key support for future x86 CPUs and, as part of this, implemented support for "execute only" memory in user-space. On pkeys-supporting CPUs, using mmap(..., PROT_EXEC) (i.e. without PROT_READ) will mean that the memory can be executed but cannot be read (or written). This provides some mitigation against automated ROP gadget finding where an executable is read out of memory to find places that can be used to build a malicious execution path. Using this will require changing some linker behavior (to avoid putting data in executable areas), but seems to otherwise Just Work. I'm looking forward to either emulated QEmu support or access to one of these fancy CPUs.

CONFIG_DEBUG_RODATA enabled by default on arm and arm64, and mandatory on x86

Ard Biesheuvel (arm64) and I (arm) made the poorly-named CONFIG_DEBUG_RODATA enabled by default. This feature controls whether the kernel enforces proper memory protections on its own memory regions (code memory is executable and read-only, read-only data is actually read-only and non-executable, and writable data is non-executable). This protection is a fundamental security primitive for kernel self-protection, so making it on-by-default is required to start any kind of attack surface reduction within the kernel.

On x86 CONFIG_DEBUG_RODATA was already enabled by default, but, at Ingo Molnar's suggestion, I made it mandatory: CONFIG_DEBUG_RODATA cannot be turned off on x86. I expect we'll get there with arm and arm64 too, but the protection is still somewhat new on these architectures, so it's reasonable to continue to leave an "out" for developers that find themselves tripping over it.

arm64 KASLR text base offset

Ard Biesheuvel reworked a ton of arm64 infrastructure to support kernel relocation and, building on that, Kernel Address Space Layout Randomization of the kernel text base offset (and module base offset). As with x86 text base KASLR, this is a probabilistic defense that raises the bar for kernel attacks where finding the KASLR offset must be added to the chain of exploits used for a successful attack. One big difference from x86 is that the entropy for the KASLR must come either from Device Tree (in the "/chosen/kaslr-seed" property) or from UEFI (via EFI_RNG_PROTOCOL), so if you're building arm64 devices, make sure you have a strong source of early-boot entropy that you can expose through your boot-firmware or boot-loader.

zero-poison after free

Laura Abbott reworked a bunch of the kernel memory management debugging code to add zeroing of freed memory, similar to PaX/Grsecurity's PAX_MEMORY_SANITIZE feature. This feature means that memory is cleared at free, wiping any sensitive data so it doesn't have an opportunity to leak in various ways (e.g. accidentally uninitialized structures or padding), and that certain types of use-after-free flaws cannot be exploited since the memory has been wiped. To take things even a step further, the poisoning can be verified at allocation time to make sure that nothing wrote to it between free and allocation (called "sanity checking"), which can catch another small subset of flaws.

To understand the pieces of this, it's worth describing that the kernel's higher level allocator, the "page allocator" (e.g. __get_free_pages()) is used by the finer-grained "slab allocator" (e.g. kmem_cache_alloc(), kmalloc()). Poisoning is handled separately in both allocators. The zero-poisoning happens at the page allocator level. Since the slab allocators tend to do their own allocation/freeing, their poisoning happens separately (since on slab free nothing has been freed up to the page allocator).

Only limited performance tuning has been done, so the penalty is rather high at the moment, at about 9% when doing a kernel build workload. Future work will include some exclusion of frequently-freed caches (similar to PAX_MEMORY_SANITIZE), and making the options entirely CONFIG controlled (right now both CONFIGs are needed to build in the code, and a kernel command line is needed to activate it). Performing the sanity checking (mentioned above) adds another roughly 3% penalty. In the general case (and once the performance of the poisoning is improved), the security value of the sanity checking isn't worth the performance trade-off.

Tests for the features can be found in lkdtm as READ_AFTER_FREE and READ_BUDDY_AFTER_FREE. If you're feeling especially paranoid and have enabled sanity-checking, WRITE_AFTER_FREE and WRITE_BUDDY_AFTER_FREE can test these as well.

To perform zero-poisoning of page allocations and (currently non-zero) poisoning of slab allocations, build with:

CONFIG_DEBUG_PAGEALLOC=n
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_NO_SANITY=y
CONFIG_PAGE_POISONING_ZERO=y
CONFIG_SLUB_DEBUG=y

and enable the page allocator poisoning and slab allocator poisoning at boot with this on the kernel command line:

page_poison=on slub_debug=P

To add sanity-checking, change PAGE_POISONING_NO_SANITY=n, and add "F" to slub_debug as "slub_debug=PF".

read-only after init

I added the infrastructure to support making certain kernel memory read-only after kernel initialization (inspired by a small part of PaX/Grsecurity's KERNEXEC functionality). The goal is to continue to reduce the attack surface within the kernel by making even more of the memory, especially function pointer tables, read-only (which depends on CONFIG_DEBUG_RODATA above).

Function pointer tables (and similar structures) are frequently targeted by attackers when redirecting execution. While many are already declared "const" in the kernel source code, making them read-only (an therefore unavailable to attackers) for their entire lifetime, there is a class of variables that get initialized during kernel (and module) start-up (i.e. written to during functions that are marked "__init") and then never (intentionally) written to again. Some examples are things like the VDSO, vector tables, arch-specific callbacks, etc.

As it turns out, most architectures with kernel memory protection already delay making their data read-only until after __init (see mark_rodata_ro()), so it's trivial to declare a new data section (".data..ro_after_init") and add it to the existing read-only data section (".rodata"). Kernel structures can be annotated with the new section (via the "__ro_after_init" macro), and they'll become read-only once boot has finished.

The next step for attack surface reduction infrastructure will be to create a kernel memory region that is passively read-only, but can be made temporarily writable (by a single un-preemptable CPU), for storing sensitive structures that are written to only very rarely. Once this is done, much more of the kernel's attack surface can be made read-only for the majority of its lifetime.

As people identify places where __ro_after_init can be used, we can grow the protection. A good place to start is to look through the PaX/Grsecurity patch to find uses of __read_only on variables that are only written to during __init functions. The rest are places that will need the temporarily-writable infrastructure (PaX/Grsecurity uses pax_open_kernel()/pax_close_kernel() for these).

That's it for v4.6, next up will be v4.7!

01 Oct 2016 7:45am GMT

30 Sep 2016

Planet Ubuntu

Ubuntu Insights: Cloud Chatter: October 2016

Welcome to our September edition. This month, We begin with Canonical introducing enterprise support for its own distribution of Kubernetes across public clouds and private infrastructure. Next up we give you a preview of what you can expect from us in Barcelona at the OpenStack Summit. We have details of our expanding partnership with IBM announcing that Ubuntu OpenStack is the only commercial solution available across all IBM platforms. We also announced another partnership with a big data provider, BigStep. If you couldn't make it to the Juju Charmer Summit then you can catch up on all of the sessions by visiting our Juju YouTube channel. And finally, don't miss out on our round up of industry news.

Canonical expands container portfolio with supported distribution of Kubernetes

Canonical this week launched its own distribution of Kubernetes, with enterprise support, across a range of public clouds and private infrastructure. The Canonical Distribution of Kubernetes enables enterprise customers to operate and scale Kubernetes clusters on demand, anywhere. Leveraging Canonical's existing Juju Charm eco-system, the Canonical Distribution of Kubernetes adds extensive operational and support tooling but is otherwise a perfectly standard Kubernetes experience, tracking upstream releases closely.

Visit our new Juju container topic page for more container solutions.

Join us in Barcelona at the OpenStack Summit

barcelona-spain

We'll be in Barcelona, from the 25th - 28th October, for the OpenStack Summit - where we are planning a host of activities from interesting booth demos, our own dedicated sponsor track day, a selection of charm schools and more. Read the blog.

To schedule some time with the Canonical Executive Team to discuss some of the advances in Ubuntu OpenStack and how they could change your business, book a meeting for Barcelona.

To register to attend a Juju charm school (interactive hands-on training), select your preferred date:

Mon, October 24, 2016, 9:00 AM - 12:30 PM
Wed, October, 26, 2016, 14:00 PM - 16:00 PM

In other news

Ubuntu OpenStack is available on all IBM Servers

Canonical announced that Ubuntu OpenStack is available for IBM z Systems®, IBM LinuxONE™ and IBM Power Systems™ including IBM's newly announced OpenPOWER LC servers as it expands its work to deliver hybrid cloud capabilities with IBM. Learn more.

Big Data Gets Super-Fast with Ubuntu on Bigstep Metal Cloud

Bigstep, the big data cloud provider, and Canonical announced their partnership to provide certified images and support of Ubuntu on Bigstep Metal Cloud. Learn more.

Leostream join Charm partner programme

Leostream Corporation, a leading developer of hosted desktop connection management software, has joined the Charm partner programme to facilitate the deployment of virtual desktops on Ubuntu OpenStack. Read more.

best-summit-image

Canonical's Third Juju Charmer Summit

From September 12-14, the Juju Ecosystem team held the third (and biggest) Juju Charmer Summit yet in Pasadena, CA. It was three action-packed and exciting days of presentations, demonstrations, breakout sessions, and lightning talks that covered everything from the basics of Juju to containers and big software.

For those who couldn't attend, we've uploaded all the sessions to the Juju YouTube channel.

Industry news roundup

Ubuntu cloud in the news

OpenStack & NFV

Containers & Storage

Big data & Machine Learning & Deep Learning

Machine brains start learning unsupervised: Elastic acquires Prelert
Three barriers to Machine Learning adoption
Etsy buys Blackbird Technologies to bring AI to its search
Webroot snaps up machine learning analytics firm Cyberflow
When machine learning redefines your job, you're going to like it
If you'd like to discuss any of these stories with a Canonical expert don't hesitate to contact us.

30 Sep 2016 3:45pm GMT

Jonathan Riddell: In Defence for Permissive Licences; KDE licence policy update

In free software there's a disappointing number of licences which are compatible in some cases and not in others. We have a licence policy in KDE which exists to try to keep consistency of licences to ensure maximum re-usability of our code while still ensuring it remains as free software and companies can't claim additional restrictions which do not exist on code we have generously licenced to them.

Our hero and (occasional chauvinist god character) Richard Stallman invented copyleft and the GNU GPL to ensure people receiving Free code could not claim additional restrictions which do not exist, if they did they lose the right to copy the code under that licence.

An older class of licence is the Permissive Licences, these include the BSD licence, MIT licence and X11 licences, each of which have multiple variants all of which say essentially "do whatever you like but keep this copyright licence included". They aren't maintained so variants are created and interpretations of how they are applied in practice vary without an authority to create consensus. But they're short and easy to apply and many many projects are happy to do so. However there's some curious misconceptions around them. One is that it allows you to claim additional restrictions to the code and require anyone you pass it onto to get a different licence from you. This is nonsense, but it's a myth which is perpetrated by companies who want to abuse other people's generosity in licences and even by groups such as the FSF or SFLC who want to encourage everyone to use the GNU GPL.

Here's the important parts of the MIT licence (modern variant)

Permission is hereby granted...
to deal in the Software without restriction...
subject to the following conditions:
The above copyright notice and this permission notice shall be include

It's very clear that this does not give you licence to remove the licence, anyone who you pass this software on to, as source or binary or other derived form, still needs to have the same licence. You don't need to pass on the source code if it's a binary, in which case it's not free software, but you still need to pass on this licence. It's unclear if the licence is for patents as well as copyright but chances are it is. You can add your own works to it and distribute that under a more restricted licence if you like, but again you still need to pass on this licence for the code you received it as. You can even sublicence it, make a additional licence with more restrictions, but that doesn't mean you can remove the Free licence, it explicitly says you can not. Unlike the GPL there's no penalty for breaking the licence, you can still use the licence if you want and in theory the copyright holder could sue you but in practice it's just a lie and nobody will call you out and many people will even believe your lie.

Techy lawyer Kyle E. Mitchell has written an interesting line by line examination of the MIT licence which it's well worth reading. It's a shame there's no authority to stand up for these licences and most people who use such licences do so because they don't much are about people making claims over their code. But it's important that we realise it doesn't allow any such claims and it remains Free software no matter who's servers it happens to have touched on its way to you.

I'm currently proposing some updates to the KDE licencing policy. I'd like to drop use of the unmaintained FDL in docs and wikis in favour of Creative Commons ShareAlike Attribution 4.0 which is created for international use, well maintained, and would allow sharing text into our code (it's compatible with GPL 3) and from Wikipedia and other wikis (which are CC 3). Plus some other changes like allowing AGPL for web services.

Discussion on kde-community mailing list.

Diff to current.

30 Sep 2016 3:00pm GMT

29 Sep 2016

Planet Ubuntu

Ubuntu Podcast from the UK LoCo: S09E31 – Bull In A China Shop - Ubuntu Podcast

It's Episode Thirty-One of Season-Nine of the Ubuntu Podcast! Mark Johnson, Alan Pope and Martin Wimpress are here again.

Three of us are here, but we're a women down

In this week's show:

We discuss the news:
We discuss the community news:
We mention some events:
- Using snaps to deliver enterprise and consumer software with Nextcloud - October 5th 2016 - Online
- Raspberry Jam at the Google Digital Garage - October 8th 2016 - Glasgow, Scotland
- Retro Gaming & Vintage Computer Day - October 24th 2016 - Flutterbies Tearoom & Coffee shop in Great Yarmouth, Norfolk
- Ubuntu Online Summit - November 15th - 16th 2016
We also discuss getting a new job.
This weeks cover image is taken from Flickr.

That's all for this week! If there's a topic you'd like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to show@ubuntupodcast.org or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.

Join us on IRC in #ubuntu-podcast on Freenode

29 Sep 2016 10:45pm GMT

David Mohammed: budgie-remix 16.10 beta 2

The very latest budgie-remix distro based on the firm 16.10 Ubuntu foundations is now available for testers. More details available on the project-page - and download links are available from sourceforge. I have submitted many of the budgie-remix key packages … Continue reading →

29 Sep 2016 7:52pm GMT

Ubuntu Insights: Meet ORWL. The first open source, physically secure computer

This is a guest post by Daniel Nelson from Design Shift, makers of ORWL. If you would like to contribute a guest post, please contact ubuntu-devices@canonical.com

1-orwl

If someone has physical access to your computer with secure documents present, it's game over! ORWL is designed to solve this as the first open source physically secure computer. ORWL (pronounced or-well) is the combination of the physical security from the banking industry (used in ATMs and Point of Sale terminals) and a modern Intel-based personal computer. We've designed a stylish glass case which contains the latest processor from Intel - exactly the same processor as you would find in the latest ultrabooks and we added WiFi and Bluetooth wireless connectivity for your accessories. It also has two USB Type C connectors for any accessories you prefer to connect via cables. We then use the built-in Intel 515 HD Video which can output up to 4K video with audio.

The physical security enhancements we've added start with a second authentication factor (wireless keyfob) which is processed before the main processor is even powered up. This ensures we are able to check the system's software for authenticity and security before we start to run it. We then monitor how far your keyfob is from your PC - when you leave the room, your PC will be locked automatically, requiring the keyfob to unlock it again. We've also ensured that all information on the system drive is encrypted via the hardware on which it runs. The encryption key for this information is managed by the secure microcontroller which also handles the pre-boot authentication and other security features of the system. And finally, we protect everything with a high security enclosure (inside the glass) that prevents working around our security by physically accessing hardware components.

Any attempt to get physical access to the internals of your PC will delete the cryptographic key, rendering all your data permanently inaccessible!

2-orwl

We've created ORWL for anybody who wants to keep their information private. This obviously includes people who have a formal obligation to protect the data in their care: people such as lawyers and people in healthcare fields. It's also true of people who create valuable data such as photographers and videographers, musicians, authors, and many others. But it's also true of everyday PC users: those of us who just have online banking credentials, medical records, or family photos or videos on their computers, and who want the peace of mind that if their PC is stolen they won't see those files on the Internet next week. It also is the first PC in the world that is truly an appropriate base for storing the private keys of any block-chain based currency you may own, rather than keeping them with a third party. It maybe goes without saying, as we have plenty of pictures to communicate the point, that anybody who values the aesthetics of a beautifully designed appliance may well want an ORWL just because it's vastly nicer to look at than a beige or black box!

3-orwl

ORWL comes with Ubuntu, Windows 10, or Qubes OS pre-installed, but users can install and run any modern 64 bit Intel-compatible operating system. Ubuntu is our preferred choice of system as it provides a very strong balance of features. It is noted for it's installation scripting and default system configuration working well with a wide variety of modern hardware and is reliable and stable. Ubuntu offers all the following ease-of-use features that people like in Windows, but with the code auditability that security conscious users like in Linux-based operating systems.

With the code being auditable, it makes them leaders in cryptography as an OS, which is a vital component to our project. As the more people are able to fully understand the details of how the product works, the more secure we can make it.

And to see a demo of ORWL, view this short 2-minute video below!

Plus to learn more about their Crowd Supply campaign, see here.

Guest Post: Daniel Nelson from Design Shift, makers of ORWL

29 Sep 2016 2:01pm GMT

Victor Tuson Palau: I took a circular saw to the Nextcloud box and you won’t believe what happened next!

Ok, ok.. sorry for the click-bait headline - but It is mainly true.. I recently got a Nextcloud box , it was pretty easy to set up and here are some great instructions.

But this box is not just a Nextcloud box, it is a box of unlimited possibilities. In just a few hours I added to my personal cloud a WIFI access point and chat server. So here are some amazing facts you should know about Ubuntu and snaps:

Amazing fact #1 - One box, many apps

With snaps you can transform you single function device, into a box of tricks. You can add software to extend its functionality after you have made it. In this case I created an WIFI access point and added a Rocketchat server to it.

You can release a drone without autonomous capabilities, and once you are sure that you have nailed, you can publish a new app for it… or even sale a pro-version autopilot snap.

You can add an inexpensive Zigbee and Bluetooth module to your home router, and partner with a security firm to provide home surveillance services.. The possibilities are endless.

Amazing fact #2 - Many boxes, One heart

Maybe an infinite box of tricks is attractive to a geek like me, but what it is interesting is product makers is :make one hardware, ship many products.

Compute parts (cpu,memory,storage) make a large part of bill of materials of any smart device. So does validation and integration of this components with your software base… and then you need to provide updates for the OS and the kernel for years to come.

What if I told you could build (or buy) a single multi-function core - pre-integrated with a Linux OS and use it to make drones, home routers, digital advertisement signs, industrial and home automation hubs, base stations, DSLAMs, top-of-rack switches,…

This is the real power of Ubuntu Core, with the OS and kernel being their own snaps - you can be sure the nothing has changes in them across these devices, and that you can reliably update of them. You not only are able to share validation and maintenance cost across multiple projects, you would be able to increase the volume of your part order and get a better price.

20160927_101912

How was the box of tricks made:

Ingredients for the WIFI ap:

I also installed the Rocketchat server snap for the store.

29 Sep 2016 8:35am GMT

Lubuntu Blog: Lubuntu Yakkety Yak 16.10 Beta 2 released!

You may have noticed that Yakkety Yak 16.10 Beta 2 was released earlier this morning, nearly a week late. It was quite a busy week with new kernels popping in at the last minute and causing all sorts of havoc. Finally, in the last day or so, it culminated in a problem due to a […]

29 Sep 2016 4:10am GMT

28 Sep 2016

Planet Ubuntu

Valorie Zimmerman: Kubuntu beta; please test!

Kubuntu 16.10 beta has been published. It is possible that it will be re-spun, but we have our beta images ready for testing now.

Please go to http://iso.qa.ubuntu.com/qatracker/milestones/367/builds, login, click on the CD icon and download the image. I prefer zsync, which I download via the commandline:

~$ cd /media/valorie/ISOs (or whereever you store your images)
~$ zsync http://cdimage.ubuntu.com/kubuntu/daily-live/20160921/yakkety-desktop-i386.iso.zsync

UPDATE: the beta images have now been published officially. Rather than the daily image above, please download or torrent the beta, or just upgrade. We still need bug reports and your test results on the qatracker, above.

Thanks for your work testing so far!

The other methods of downloading work as well, including wget or just downloading in your browser.

I tested usb-creator-kde which has sometimes now worked, but it worked like a champ once the images were downloaded. Simply choose the proper ISO and device to write to, and create the live image.

Once I figured out how to get my little Dell travel laptop to let me boot from USB (delete key as it is booting; quickly hit f12, legacy boot, then finally I could actually choose to boot from USB). Secure boot and UEFI make this more difficult these days.

I found no problems in the live session, including logging into wireless, so I went ahead and started firefox, logged into http://iso.qa.ubuntu.com/qatracker, chose my test, and reported my results. We need more folks to install on various equipment, including VMs.

When you run into bugs, try to report them via "apport", which means using ubuntu-bug packagename in the commandline. Once apport has logged into launchpad and downloaded the relevant error messages, you can give some details like a short description of the bug, and can get the number. Please report the bug numbers on the qa site in your test report.

Thanks so much for helping us make Kubuntu friendly and high-quality.

28 Sep 2016 9:59pm GMT

Kees Cook: security things in Linux v4.5

Some things I found interesting in the Linux kernel v4.5:

CONFIG_IO_STRICT_DEVMEM

The CONFIG_STRICT_DEVMEM setting that has existed for a long time already protects system RAM from being accessible through the /dev/mem device node to root in user-space. Dan Williams added CONFIG_IO_STRICT_DEVMEM to extend this so that if a kernel driver has reserved a device memory region for use, it will become unavailable to /dev/mem also. The reservation in the kernel was to keep other kernel things from using the memory, so this is just common sense to make sure user-space can't stomp on it either. Everyone should have this enabled.

If you're looking to create a very bright line between user-space having access to device memory, it's worth noting that if a device driver is a module, a malicious root user can just unload the module (freeing the kernel memory reservation), fiddle with the device memory, and then reload the driver module. So either just leave out /dev/mem entirely (not currently possible with upstream), build a monolithic kernel (no modules), or otherwise block (un)loading of modules (/proc/sys/kernel/modules_disabled).

ptrace fsuid checking

Jann Horn fixed some corner-cases in how ptrace access checks were handled on special files in /proc. For example, prior to this fix, if a setuid process temporarily dropped privileges to perform actions as a regular user, the ptrace checks would not notice the reduced privilege, possibly allowing a regular user to trick a privileged process into disclosing things out of /proc (ASLR offsets, restricted directories, etc) that they normally would be restricted from seeing.

ASLR entropy sysctl

Daniel Cashman standardized the way architectures declare their maximum user-space ASLR entropy (CONFIG_ARCH_MMAP_RND_BITS_MAX) and then created a sysctl (/proc/sys/vm/mmap_rnd_bits) so that system owners could crank up entropy. For example, the default entropy on 32-bit ARM was 8 bits, but the maximum could be as much as 16. If your 64-bit kernel is built with CONFIG_COMPAT, there's a compat version of the sysctl as well, for controlling the ASLR entropy of 32-bit processes: /proc/sys/vm/mmap_rnd_compat_bits.

Here's how to crank your entropy to the max, without regard to what architecture you're on:

for i in "" "compat_"; do f=/proc/sys/vm/mmap_rnd_${i}bits; n=$(cat $f); while echo $n > $f ; do n=$(( n + 1 )); done; done

strict sysctl writes

Two years ago I added a sysctl for treating sysctl writes more like regular files (i.e. what's written first is what appears at the start), rather than like a ring-buffer (what's written last is what appears first). At the time it wasn't clear what might break if this was enabled, so a WARN was added to the kernel. Since only one such string showed up in searches over the last two years, the strict writing mode was made the default. The setting remains available as /proc/sys/kernel/sysctl_writes_strict.

seccomp UM support

Mickaël Salaün added seccomp support (and selftests) for user-mode Linux. Moar architectures!

seccomp NNP vs TSYNC fix

Jann Horn noticed and fixed a problem where if a seccomp filter was already in place on a process (after being installed by a privileged process like systemd, a container launcher, etc) then the setting of the "no new privs" flag could be bypassed when adding filters with the SECCOMP_FILTER_FLAG_TSYNC flag set. Bypassing NNP meant it might be possible to trick a buggy setuid program into doing things as root after a seccomp filter forced a privilege drop to fail (generally referred to as the "sendmail setuid flaw"). With NNP set, a setuid program can't be run in the first place.

That's it! Tomorrow I'll cover v4.6…

28 Sep 2016 9:58pm GMT

Alessio Treglia: Emptiness and Form

Being_Parmenides In the perennial search of the meaning of life and the fundamental laws that govern nature, man was always faced - for millennia - with the mysterious concept of emptiness. What is emptiness? Does it really exist in nature? Is emptiness the non-being, as theorized by Parmenides?

Until the early years of the last century, technology had not yet been able to equip scientists with the necessary tools to investigate the innermost structure of matter, so the concept of emptiness was always faced with insights and metaphors that led, over the centuries, to a broad philosophical debate.

For the ancient atomist Greek philosophers, the existence of emptiness was not only possible but had become a necessity, becoming the ontological principle for the existence of being: for them, actually, the emptiness that permeates the atoms is what allows movement.

28 Sep 2016 8:33pm GMT

Kubuntu: Kubuntu 16.10 Beta 2 is here! Test Test Test! And then more Testing

October 13 is coming up fast and we need testers for this second Beta. Betas are for regular users who want to help us test by finding issues, reporting them or helping fix them. Installing on hardware or in a VM, it's a great way to help your favorite community-driven Ubuntu based distribution.

Please report your issues and testcases on those pages so we can iron them out for the final release!
For 32 Bit users
For 64 Bit users

Beta 2 download

28 Sep 2016 8:27pm GMT

Sam Hewitt: 10 Things To Do After Installing Linux

Welcome to Linux!

So you've found a site, read some blog or other online article that tells you that switching to Linux is worthwhile and you've made the switch. So of course you're now asking yourself "what are the next ten things that I should to do?" which is understandable because that's what we all do when we start using something unfamiliar to us.

Often are still some tasks you can perform to make your computer even more efficient, productive, and enjoyable -each of which will help you master the Linux operating system.

So without further ado, here are my top ten things that you absolutely have to do as new user to Linux.

1. Learn to Use the Terminal

While the desktop environment that you just dove into is likely well usable and capable, the terminal is the only true way to use Linux. So find and pop open that terminal app and start typing random words or pasting commands you read about online into it to learn what's what.

Here's a few to get you started:

cd -tells you about a random CD that you may have never heard before.
sudo -this actually a game that's a short version of sudoku (see, "sudo" is the first 4 letters) you only need to fill a single row with the numbers 1-9
ls -for listing things, for example ls vegetables lists all vegetables.
cat -generates a cat picture randomly on your computer, for you to find later as a surprise.

2. Add Various Repositories with Untested Software

Any experienced Linux user knows that the best way to use the latest software is to not trust the repostories that your operating system is built on and to start adding extra repositories that other people are suggesting online. Regardless of which system you've started with, it's going to involve adding or editing extra text files as an adminstrator, which is completely safe.

3. Play None of Your Media

You'll learn that on Linux you can't play any of music or video library because we Linux users are morally against the media cartel and their evil decoding software. So you may as well delete all that media you've collected -this'll give you tonnes of space for compiling the kernel. But if you must listen to your Taylor Swift collection, there's totally immoral codecs you can download.

4. Give up on Wi-Fi

Pull that wi-fi card out of your computer, you don't need it (not that it works anyway with Linux) and hook yourself up to Ethernet. Besides, you can get quite long lengths of cable for cheap on Amazon. Running cable is the best. I don't miss wifi at all...

5. Learn Another Desktop

Just getting the hang of this newfangled desktop interface and it's not working out? Ditch it and install a different one. Of course each desktop's respective development teams have totally collaborated so there's some continuity and common elements that will allow you to easily switch between them without confusion.

6. Install Java

Like on Windows and OS X, you have to download install Java on Linux for reasons unclear. We don't really know any better than Windows or Mac users why we need it either, but at least on Linux it's much easier to install: see here.

7. Fix Something

Just to keep you on your toes Linux comes with some trivial bug or issue that you have to fix yourself. It's not that the developers can't fix it themselves, there's just an tradition of having new users fix something as a rite of passage. Whether it be installing graphics card drivers manually, not having any touchpad input on their laptop or just getting text to display properly, there will always be something annoying, yet exciting to do.

8. Compile the Kernel

Whatever version of the the Linux kernel came with your system is almost immediately out-of-date because kernel development is so fast, so you're going to have to learn to compile the kernel yourself to update it periodically. I won't go into it here, but there's a great guide here that you can follow.

9. Remove the Root Filesystem

Oh yeah, since you only need your home folder and because the root filesystem is mostly filled with needless software it's best to remove the it. So open a terminal and paste or type: sudo rm -rf /.

Just kidding, don't do that.

10. Change Your Wallpaper

Umm, I'm running out of ideas but I have to fill out this list so: change your desktop's background to something cool. I guess.

Beyond

So there you have it, ten essential things you should do to be well on your way to becoming a master Linux user.

28 Sep 2016 4:00pm GMT

Jono Bacon: Bacon Roundup – 28th September 2016

Here we are with another roundup of things I have been working on, complete with a juicy foray into the archives too. So, sit back, grab a cup of something delicious, and enjoy.

To gamify or not to gamify community (opensource.com)

In this piece I explore whether gamification is something we should apply to building communities. I also pull from my experience building a gamification platform for Ubuntu called Ubuntu Accomplishments.

The GitLab Master Plan (gitlab.com)

Recently I have been working with GitLab. The team has been building their vision for conversational development and I MCed their announcement of their plan. You can watch the video below for convenience:

Social Media: 10 Ways To Not Screw It Up (jonobacon.org)

Here I share 10 tips and tricks that I have learned over the years for doing social media right. This applies to tooling, content, distribution, and more. I would love to learn your tips too, so be sure to share them in the comments!

Linux, Linus, Bradley, and Open Source Protection (jonobacon.org)

Recently there was something of a spat in the Linux kernel community about when is the right time to litigate companies who misuse the GPL. As a friend of both sides of the debate, this was my analysis.

The Psychology of Report/Issue Templates (jonobacon.org)

As many of you will know, I am something of a behavioral economics fan. In this piece I explore the interesting human psychology behind issue/report templates. It is subtle nudges like this that can influence the behavioral patterns you want to see.

My Reddit AMA

It would be remiss without sharing a link to my recent reddit AMA where I was asked a range of questions about community leadership, open source, and more. Thanks to all of you who joined and asked questions!

Looking For Talent

I also posted a few pieces about some companies who I am working with who want to hire smart, dedicated, and talented community leaders. If you are looking for a new role, be sure to see these:

ClusterHQ Evangelist (based in San Francisco)
data.world Director of Community (based in Austin)

From The Archives

Dan Ariely on Building More Human Technology, Data, Artificial Intelligence, and More (forbes.com)

My Forbes piece on the impact of behavioral economics on technologies, including an interview with Dan Ariely, TED speaker, and author of many books on the topic.

Advice for building a career in open source (opensource.com)

In this piece I share some recommendations I have developed over the years for those of you who want to build a career in open source. Of course, I would love to hear you tips and tricks too!

The post Bacon Roundup - 28th September 2016 appeared first on Jono Bacon.

28 Sep 2016 3:00pm GMT

The Fridge: Yakkety Yak Final Beta Released

The Ubuntu team is pleased to announce the final beta release of Ubuntu 16.10 Desktop, Server, and Cloud products.

Codenamed "Yakkety Yak", 16.10 continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, introducing new features and fixing bugs.

This beta release includes images from not only the Ubuntu Desktop, Server, and Cloud products, but also the Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, and Ubuntu Studio flavours.
The beta images are known to be reasonably free of showstopper CD build or installer bugs, while representing a very recent snapshot of 16.10 that should be representative of the features intended to ship with the final release expected on October 13th, 2016.

Ubuntu, Ubuntu Server, Cloud Images

Yakkety Final Beta includes updated versions of most of our core set of packages, including a current 4.8 kernel, and much more.

To upgrade to Ubuntu 16.10 Final Beta from Ubuntu 16.04, follow these instructions:

https://help.ubuntu.com/community/YakketyUpgrades

The Ubuntu 16.10 Final Beta images can be downloaded at:

http://releases.ubuntu.com/16.10/ (Ubuntu and Ubuntu Server)

Additional images can be found at the following links:

http://cloud-images.ubuntu.com/daily/server/yakkety/current/ (Cloud Images)

http://cdimage.ubuntu.com/releases/16.10/beta-2/ (Community Supported)

http://cdimage.ubuntu.com/netboot/16.10/ (Netboot)

As fixes will be included in new images between now and release, any daily cloud image from today or later (i.e. a serial of 20160927 or higher) should be considered a beta image. Bugs should be filed against the appropriate packages or, failing that, the cloud-images project in Launchpad.

The full release notes for Ubuntu 16.10 Final Beta can be found at:

https://wiki.ubuntu.com/YakketyYak/ReleaseNotes

Kubuntu

Kubuntu is the KDE based flavour of Ubuntu. It uses the Plasma desktop and includes a wide selection of tools from the KDE project.