News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Linux 2.6.36 muscles up with AppArmor security

Oct 21, 2010 — by Eric Brown — from the LinuxDevices Archive — views

Linus Torvalds announced a trimmer new Linux kernel release, which includes the long-awaited AppArmor security framework. Linux 2.6.36 also features support for the Tilera multicore architecture, a redesign of workqueues, an Out-of-Memory (OOM) killer, debugging improvements, latency enhancements, and a partial implementation of VFS virtualization scalability patches.

The Linux 2.6.36 release follows up on early August's Linux 2.6.35 release, which improved multicore support, network scalability, memory management, power management, and the Btrfs file-system I/O, among other enhancements. 

For the first time years, the kernel has actually seen a reduction in net lines of code, according to Thorsten Leemhuis in his usual thorough kernel rundown on The H. Despite many additions and "merges" of new features, the kernel has received a trimming in many areas to address concerns about "bloat" that have been raised in recent years by new U.S. citizen Linus Torvalds (pictured).

AppArmor and VFS

As was expected, Linux 2.6.36 is principally notable for the long-delayed inclusion of the AppArmor security framework. AppArmor restricts applications to specific actions, preventing attacks such as the exploitation of a security hole in a server program that could compromise the entire system.

AppArmor is similar to SELinux, which is already part of the Linux kernel and is championed by Red Hat, but is said to be simpler and easier to use. Some say it is not as powerful as SELinux, however, especially for enterprise applications.

Novell originally pushed for inclusion of AppArmor in the Linux kernel over four years ago, but the merge had been blocked for various reasons. Canonical (Ubuntu) then took up the AppArmor charge with a new version that won over the skeptics.

Linux 2.6.36 also introduces a subset of the VFS (Virtual File System) scalability patches that Linux creator and overseer Torvalds championed in his Linux 2.6.35 announcement. As VFS code creator Nick Piggins described it, the patch speeds VFS performance code by enabling "parallel name lookups to walk down common elements without any cacheline bouncing between them." This is said to "make it very fast in serial performance," in addition to other virtualization performance enhancements. 

The following are some other major Linux 2.6.36 features culled from Kernelnewbies.org and The H reports:

  • Tilera support — Tilera's "Tile" family of massively multicore MIPS/ RISC system-on-chips (SoCs) have embraced Linux from the beginning, and Linux is also fully supported in the latest Tile-GX line of 40nm-fabricated SoCs (block diagram at right). Tile-GX is scheduled for 16-, 36-, 64-, and 100-core versions. Now, Linux is embracing it back by offering native Linux support for the architecture.
  • KMS gets integrated KDB debugging — For the first time, developers can activate the KDB kernel debugger while using an X.org desktop session. The technology, which was merged in the previous kernel release, is integrated in the kernel-based mode setting (KMS) driver for Radeon graphics cards implemented in Linux 2.6.32. The KMS driver has also been enhanced with newly enabled underscan feature, as well as support for Fermi graphics chips to the Nouveau KMS driver, according to Leemhuis.
  • Intel IPS — An intelligent power sharing (IPS) driver has been supplied for Intel Core i3/i5 based systems with integrated graphics support. The IPS driver offers dynamic power sharing between the CPU and GPU, maximizing performance in a given TDP, says Kernelnewbies.org.
  • Concurrency-managed workqueues — Workqueues have been optimized for concurrency, adding a thread pool manager. Dedicated threads have been replaced by a pool of kernel threads that grows dynamically as needed.
  • CIFS local caching — The Common Internet File System (CIFS) has now been enhanced with an FS-Cache layer that allows file-systems to implement local caching. FS-Cache was originally merged in 2.6.30.
  • OOM killer gets smarter — The VM (Virtual Machine) Out-of-Memory (OOM) killer, which closes processes during memory shortages to keep the system from crashing, has been substantially rewritten. In particular the code is said to make better triage decisions concerning which processes should be sacrificed first.
  • VM fix — Linux 2.6.36 fixes a VM bug that caused some desktop systems to become unresponsive when performing tasks such as writing to a very slow USB storage device. The patch is said to improve the VM heuristics to solve the problem.
  • Latency improvements — The process scheduler has been improved by reducing maximum latencies, improving responsiveness when parallel processes are claiming CPU time, especially on desktop computers. The maximum latency has been reduced by almost half, according to Leemhuis.

The above changes are only the most significant of numerous kernel additions, performance enhancements, and updates, as well as many new or extended drivers. For example, support for infrared remote controls and receivers has greatly improved, according to Leemhuis.

Fanotify delayed

One hoped-for enhancement that was cut at the last minute was a preliminary merge of a new Fanotify filesystem notification interface. Fanotify is intended to supersede Inotify and improve its scalability.

The Fanotify system calls were disabled because, in the words of Torvalds, "People were still unsure about the interfaces. Better let the interface discussion cook a bit longer than release with a bad interface that we need to redo."

Finally, as was projected earlier, the role of the Big Kernel Lock (BKL) has been reduced in infrastructure code and in numerous drivers. As Leemhuis puts it, "This brings the developers another step closer to their aim of making the kernel work without this bulky locking mechanism that decreases scalability, and therefore system performance, on standard systems." (For more BKL background, see our earlier coverage, here.)

Availability

Linus Torvalds' Linux 2.6.36 release announcement may be found here, and the Kernelnewbies.org summary should be here. The in-depth exploration of the new kernel in The H may be found here.


This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.