SoylentNews is people
SoylentNews
from the united-we-fall;-divided-we-stand-a-better-chance-of-still-running dept.
Linux to get Kernel 'Lockdown' Feature:
After years of countless reviews, discussions, and code rewrites, Linus Torvalds approved on Saturday a new security feature for the Linux kernel, named "lockdown."
The new feature will ship as a LSM (Linux Security Module) in the soon-to-be-released Linux kernel 5.4 branch, where it will be turned off by default; usage being optional due to the risk of breaking existing systems.
[...] The new feature's primary function will be to strengthen the divide between userland processes and kernel code by preventing even the root account from interacting with kernel code -- something that it's been able to do, by design, until now.
[...] "The lockdown module is intended to allow for kernels to be locked down early in [the] boot [process]," said Matthew Garrett, the Google engineer who proposed the feature a few years back.
"When enabled, various pieces of kernel functionality are restricted," said Linus Torvalds, Linux kernel creator, and the one who put the final stamp of approval on the module yesterday.
This includes restricting access to kernel features that may allow arbitrary code execution via code supplied by userland processes; blocking processes from writing or reading /dev/mem and /dev/kmem memory; block access to opening /dev/port to prevent raw port access; enforcing kernel module signatures; and many more others, detailed here.
[...] The new module will support two lockdown modes, namely "integrity" and "confidentiality." Each is unique, and restricts access to different kernel functionality.
"If set to integrity, kernel features that allow userland to modify the running kernel are disabled," said Torvalds.
"If set to confidentiality, kernel features that allow userland to extract confidential information from the kernel are also disabled."
If necessary, additional lockdown modes can also be added on top, but this will require an external patch, on top of the lockdown LSM.
(Score: 0) by Anonymous Coward on Tuesday October 01 2019, @04:01PM (5 children)
I had one of those SiliconDust HDHomeRun Prime 3-Tuner Network TV Tuners that only stream to Windows because of DRM. It won't work on Linux. Well... It does but the cableco DRM'd every fucking channel and Windows is the only OS that is licensed to unlock the channels. Fuck DRM, MPAA, RIAA, and Windows... P1ratebay is free.
(Score: 2) by DannyB on Tuesday October 01 2019, @04:17PM (3 children)
A long time ago, I considered SiliconDust devices.
Do you actually still find anything on cable or OTA that is even worth watching? I don't. Gave it up a few years back.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Tuesday October 01 2019, @04:21PM
NHK World News is pretty good. But I generally use it *primarily* for the 2 PBS stations.
(Score: 0) by Anonymous Coward on Tuesday October 01 2019, @04:34PM (1 child)
I only watch 2 channels... BBC and PBS. Occasionally I'll watch the Comedy News Network (CNN) to see what bullshit they're spreading about Trump, but my eyes and ears barf a little after only 2 minutes.
(Score: -1, Flamebait) by Anonymous Coward on Tuesday October 01 2019, @06:59PM
and all three are Bolshevik propaganda outlets.
(Score: 0) by Anonymous Coward on Tuesday October 01 2019, @07:21PM
Unfortunate. My cable company only has DRM on the premium channels, which I don't subscribe to anyway, so it works great for me. I think Comcast tends to be a little better about this, but I think it also varies region to region.