LinuxSecuritySummit2010/Abstracts/Cook Tree

From Linux Security Wiki (obsolete)
Revision as of 09:58, 15 June 2010 by JamesMorris (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Widely Used But Out-Of-Tree


Kees Cook, Canonical


There are many security systems, features, and patches that are not in the mainline Linux kernel. Users are exposed to them in varying degrees. Many are common, yet have remained out-of-tree for a long time. Why is this? If there is such wide-spread use or demand, why do they remain external?

The following features will be explored and compared across distributions:

  • partial NX emulation
  • link restrictions
  • ptrace restrictions
  • chroot restrictions
  • ASLR on non-x86

What can be done to help pave the way for greater acceptance for these and similar features? They all represent solutions to real problems that many distributions have committed to maintaining even in the face of the features being out of tree. What value is there in keeping these things out of the mainline kernel when the vast majority of Linux users end up using some of them every day?

Personal tools