Announcement

Collapse
No announcement yet.

Linux 4.14-rc7 No Longer Clashes With AppArmor To Break Networking

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #51
    Originally posted by sdack View Post
    It's you failing to get it.
    Yeah, it must be that I'm too old to even understand teenage "i-am-above-the-rules" bullshit.

    Comment


    • #52
      Originally posted by GreatEmerald View Post
      I was under the opposite impression. Didn't they introduce a new security feature that, given that access is denied by default, would deny access to the internet unless given permission to the application?
      If the description of the commit is anything to go by this is just some underlying code for new functionality, not a change to existing functionality so it really shouldn't break anything.

      Originally posted by sdack View Post
      ...
      Oh for crying out loud...

      Seriously, when you screw up and refuse to either admit that you screwed up or put in any kind of effort into fixing the mess you made, instead saying that other people who should learn to live with the mess that you made, you deserve to get chastised for it. The only thing you can really fault Linus for here here is his excessive use of profanity in the chastising, nothing else.

      Seriously, the fact that changes in the kernel occasionally break things doesn't mean that it's ok to do it for no reason. The fact that you run over some old lady because you were texting while still counts as manslaughter even when other people drive distracted.

      This kind of attitude of "Everyone is doing it so it's ok for me to not give a damn about doing thing properly even if it causes problems for other people" may be acceptable for your own little hobby projects, but when you're working on something worked on and used by as many people as mainline Linux+derivatives is, this sort of thing is just unacceptable. If you can't get with it, get out!
      Last edited by L_A_G; 31 October 2017, 10:15 AM.

      Comment


      • #53
        Originally posted by sdack View Post
        Sure do I expect a kernel to break user space. Some things always break with a new kernel. It doesn't actually matter what it is that breaks. Even when it's called "user space" is it still just something most users don't actually come in touch with. Most users don't mess around with kernel APIs. And as a software developer do you not have a problem with occasional changes to APIs. It's part of the job. Administrators then have to deal with all sorts of problems created by newer kernels. To them is the task of finding and installing the right driver, for example, a part of their user space. Do you see them getting "protection by Daddy"? No.

        What then makes sense and doesn't has nothing to do with rules. Sense comes from context and if a change makes sense, or if it doesn't, depends on the context. If then the only context you can find is that it broke a rule then fuck the rule and move on, or you just end up digging yourself into a pile of BS without any substance and for you to be believable.

        Do you disagree?
        Yes I disagree. What user space is and what user space is not is already defined and you cannot make up your own definition as it suits your argument. Drivers per definition lives in kernel land and even for drivers which have both a kernel and a user space part (like nvidia) any breakage they have is only in the kernel part.

        I'm a user space developer and I have never ever had to make a single change in any of my programs due to a kernel change, I have tons of applications from back when kernel 2.0 was the main version and they all work flawless with 4.13.

        I also happen to admin all our servers and "finding and installing the right drivers" sounds like a Windows problem, all the drivers that we use come from mainline. And on my home machine I use an AMD card so the driver is once again from mainline. I have also downloaded and compiled every new stable kernel release from v4.4 to v4.13 and they all run on my Ubuntu 16.04 with all user space unchanged without any problems what so ever.

        So no I have no clue what you are talking about.

        Comment


        • #54
          Originally posted by starshipeleven View Post
          neither are hacked-together knockoffs of grsecurity, as they focus on mostly other stuff entirely.
          Look up the patches to SELinux and AppArmor following major exploit disclosures. They're often ported straight off grsecurity's own mandatory access control. The problem is SELinux is REALLY over-engineered while at the same time only offering a partial solution and AppArmor is just taking the wrong approach. Moreover, grsecurity does a lot more than MAC so SELinux and AppArmor are constantly playing catch-up to grsecurity's tail. If you look up the whole hardening efforts for linux, they're basically a poor-man's grsecurity knockoff.

          Mind you, there's a technical & historical reason for this: Many of grsecurity patches hurt performance since they double-check certain operations. It's not as bad nowadays since the overall hardening efforts have made similar compromises after countless exploits showed it's the only reasonable decision... But historically, their patches were rejected over performance concerns.

          Comment


          • #55
            Originally posted by starshipeleven View Post
            There are rules set down by Torvalds ...
            Society already has rules in place and we did have trolls long before we had the Internet, too. There isn't anything really to discuss about his behaviour unless you're still very young and need to learn about it.

            Comment


            • #56
              Originally posted by L_A_G View Post
              Oh for crying out loud...
              Shut the fuck up.

              See? The nonsense works both ways and accomplishes nothing. Now you, too, know why we have rules in our society, why we value respect and dignity even with laws, because these matter to the majority of people. Only the idiots try to yell on the Internet, preferably with bold text, because their brains don't get the type of media they are trying to yell at. Learn to manage your anger or it just blocks out the rest of your brain.
              Last edited by sdack; 06 November 2017, 04:52 AM.

              Comment


              • #57
                Originally posted by F.Ultra View Post
                Yes I disagree. What user space is and what user space is not is already defined ...
                No. Everyone has their own definition and the definition made up by kernel developers in particular are impractical for most purposes. Nobody outside the kernel development actually cares for them. Even within the kernel development are there exceptions to the rules. And when the rules needs to be enforced by anti-social behaviour then it shows only further. It's really an arbitrary rule set made up by a dictatorship to serve its own existence with similar features of favouritism among its followers. Only it's not quite as bad as it was with Saddam Hussein of course (the only dev I know of who killed somebody was Hans Reiser), but it's in there.
                Last edited by sdack; 06 November 2017, 05:07 AM.

                Comment


                • #58
                  Originally posted by sdack View Post
                  Shut the fuck up.
                  Only the idiots try to yell on the Internet, preferably with bold text
                  Well talk about the pot calling the kettle black...

                  Seriously thou, as I said, the only issue here is Linus' excessive use of profanity. If you can't stand being chewed out for not only making mistakes, but also refusing to fix them and instead insisting it's other peoples' job to work around the mess that you made you probably shouldn't be working on anything other people actually use. You're probably better off just working on your own projects in your bedroom and letting people with at least some semblance of co-operative software development actually do that.

                  Comment


                  • #59
                    Originally posted by cyberwizzard View Post
                    Does anyone know why Linus is 'unhappy' with AppArmor as it is?
                    He didn't say apparmor, he said security layer.

                    Linus always says "we don't break userspace" and even if Michael overblown the issue somewhat. It wouldn't break any distro, this would break only distro maintainer boxes, who would fix the issue before it hit their userbase. That and presumably few tens of thousands of people that compile kernel themselves AND use apparmor (which would account for .1% linux users not counting embedded).

                    I think Linuses comment was mostly hating on state of kernel security subsystem in general, security people tend to go overboard with "security first" and annoy linus with patches that often sacrifice performance for doubtful security gains. Plus there is this outdated linux security module (LSM) model that is somewhat broken in practice and no longer just doing what it's supposed to do.
                    Last edited by Guest; 07 November 2017, 11:52 AM.

                    Comment


                    • #60
                      Originally posted by sdack View Post
                      No. Everyone has their own definition and the definition made up by kernel developers in particular are impractical for most purposes. Nobody outside the kernel development actually cares for them. Even within the kernel development are there exceptions to the rules. And when the rules needs to be enforced by anti-social behaviour then it shows only further. It's really an arbitrary rule set made up by a dictatorship to serve its own existence with similar features of favouritism among its followers. Only it's not quite as bad as it was with Saddam Hussein of course (the only dev I know of who killed somebody was Hans Reiser), but it's in there.
                      No user space clearly defined in the Linux Kernel. All your examples where things break so far (i.e nVidia drivers) needs the kernel headers to compile.

                      Comment

                      Working...
                      X