1 00:00:06,320 --> 00:00:11,499 [Music] 2 00:00:15,519 --> 00:00:20,880 welcome back to the kia ora theater at 3 00:00:18,000 --> 00:00:22,480 linux conference 2022 4 00:00:20,880 --> 00:00:25,519 2022. it is 5 00:00:22,480 --> 00:00:26,800 uh today we've got russell coca here to 6 00:00:25,519 --> 00:00:28,640 talk about 7 00:00:26,800 --> 00:00:30,960 uh selinux he's mostly known for working 8 00:00:28,640 --> 00:00:33,360 on nsa security enhanced linux has been 9 00:00:30,960 --> 00:00:35,040 a debian developer for 20 years and is 10 00:00:33,360 --> 00:00:36,800 mostly known for maintaining seo linux 11 00:00:35,040 --> 00:00:38,000 packages in debian 12 00:00:36,800 --> 00:00:40,879 today he's here to talk through his 13 00:00:38,000 --> 00:00:42,640 history of 20 years working on ac linux 14 00:00:40,879 --> 00:00:44,879 including lessons and will hopefully 15 00:00:42,640 --> 00:00:46,640 inspire us and inform us about working 16 00:00:44,879 --> 00:00:49,280 on major open source projects as they 17 00:00:46,640 --> 00:00:50,320 start take it away 18 00:00:49,280 --> 00:00:52,879 thank you 19 00:00:50,320 --> 00:00:55,039 okay so it's been uh a long time 20 20 00:00:52,879 --> 00:00:56,960 years working on the one project 21 00:00:55,039 --> 00:00:59,120 i'll just sort of go through say in the 22 00:00:56,960 --> 00:01:00,239 beginning cover the process 23 00:00:59,120 --> 00:01:02,559 and 24 00:01:00,239 --> 00:01:04,320 do diversions onto interesting things 25 00:01:02,559 --> 00:01:06,640 along the way 26 00:01:04,320 --> 00:01:08,159 so firstly uh when i attend conferences 27 00:01:06,640 --> 00:01:09,760 i like to hang out with speakers who 28 00:01:08,159 --> 00:01:13,040 give good talks 29 00:01:09,760 --> 00:01:15,439 as a lot of people do um 30 00:01:13,040 --> 00:01:17,920 usually often the the speakers are more 31 00:01:15,439 --> 00:01:19,600 interested in talking to people it seems 32 00:01:17,920 --> 00:01:21,119 than uh the 33 00:01:19,600 --> 00:01:23,200 audience are 34 00:01:21,119 --> 00:01:25,600 when i first met pete lascocco from the 35 00:01:23,200 --> 00:01:28,640 nsa uh when he gave his talk about essie 36 00:01:25,600 --> 00:01:30,079 linux at uh auto olympic symposium 37 00:01:28,640 --> 00:01:31,360 it seemed that i was the only person who 38 00:01:30,079 --> 00:01:33,600 wanted to talk to him maybe people are 39 00:01:31,360 --> 00:01:36,079 scared about the nsa or something 40 00:01:33,600 --> 00:01:38,400 um so i talked to him he made some 41 00:01:36,079 --> 00:01:41,680 interesting points about uh the benefits 42 00:01:38,400 --> 00:01:44,320 he links offers and it sounds that uh 43 00:01:41,680 --> 00:01:46,079 someone something that's 44 00:01:44,320 --> 00:01:48,479 debian or distribution to debian could 45 00:01:46,079 --> 00:01:50,240 really benefit from 46 00:01:48,479 --> 00:01:52,000 as an aside um 47 00:01:50,240 --> 00:01:53,360 as this is a virtual conference uh 48 00:01:52,000 --> 00:01:54,880 there's no possibility for me to have 49 00:01:53,360 --> 00:01:57,840 lunch or dinner with any of you 50 00:01:54,880 --> 00:02:00,479 afterwards uh if you want to 51 00:01:57,840 --> 00:02:02,719 correspond via twitter or email or any 52 00:02:00,479 --> 00:02:04,479 other methods you like just please 53 00:02:02,719 --> 00:02:07,960 contact me i'm always happy to chat 54 00:02:04,479 --> 00:02:07,960 about these sort of things 55 00:02:08,479 --> 00:02:12,959 one thing to note about people giving 56 00:02:10,239 --> 00:02:15,440 lectures is that there's uh usually an 57 00:02:12,959 --> 00:02:17,440 element of uh project promotion involved 58 00:02:15,440 --> 00:02:20,800 in uh motivation for giving a lecture 59 00:02:17,440 --> 00:02:23,200 about a topic as a conference like 60 00:02:20,800 --> 00:02:24,959 lca or ols etc 61 00:02:23,200 --> 00:02:27,040 so um 62 00:02:24,959 --> 00:02:28,400 the speakers uh will often want to talk 63 00:02:27,040 --> 00:02:29,440 to people who are interested in doing 64 00:02:28,400 --> 00:02:30,879 some 65 00:02:29,440 --> 00:02:31,840 contributing to the project or testing 66 00:02:30,879 --> 00:02:33,200 the project 67 00:02:31,840 --> 00:02:34,480 it's not just a case of you know give a 68 00:02:33,200 --> 00:02:37,040 talk and 69 00:02:34,480 --> 00:02:38,560 go away 70 00:02:37,040 --> 00:02:40,800 so when i was talking to uh people 71 00:02:38,560 --> 00:02:41,760 stockholm at uh oles 72 00:02:40,800 --> 00:02:43,920 uh 73 00:02:41,760 --> 00:02:45,840 it didn't sound like a difficult thing 74 00:02:43,920 --> 00:02:46,640 to work on uh you see the mix sounds 75 00:02:45,840 --> 00:02:47,920 like a 76 00:02:46,640 --> 00:02:49,200 headless singing feelings it feels 77 00:02:47,920 --> 00:02:51,360 easier to do 78 00:02:49,200 --> 00:02:53,120 so i said okay it sounds like a good 79 00:02:51,360 --> 00:02:55,680 thing i'll put it in debian probably 80 00:02:53,120 --> 00:02:58,879 take me a couple of weeks no big deal 81 00:02:55,680 --> 00:03:00,800 and so he just sort of looked at me 82 00:02:58,879 --> 00:03:03,519 it was quiet and he said 83 00:03:00,800 --> 00:03:05,120 it's a good idea you should do that 84 00:03:03,519 --> 00:03:06,560 i later learned this is uh the way he 85 00:03:05,120 --> 00:03:09,120 looks at someone when uh he thinks 86 00:03:06,560 --> 00:03:10,159 there's something uh that wasn't well 87 00:03:09,120 --> 00:03:12,879 informed 88 00:03:10,159 --> 00:03:15,040 but it's not his benefit to uh 89 00:03:12,879 --> 00:03:17,120 educate them on the issue 90 00:03:15,040 --> 00:03:18,000 so end up i took about three months to 91 00:03:17,120 --> 00:03:20,080 get 92 00:03:18,000 --> 00:03:22,800 essie linux 93 00:03:20,080 --> 00:03:23,599 basically working on my own systems 94 00:03:22,800 --> 00:03:24,879 and 95 00:03:23,599 --> 00:03:28,640 about a year to get it working well 96 00:03:24,879 --> 00:03:31,280 enough for other people to use 97 00:03:28,640 --> 00:03:33,760 so it was much harder than i expected 98 00:03:31,280 --> 00:03:34,959 uh it turned out that not only was the 99 00:03:33,760 --> 00:03:38,000 the usual 100 00:03:34,959 --> 00:03:40,000 effort involved in getting a new package 101 00:03:38,000 --> 00:03:42,560 in or new packages into debian 102 00:03:40,000 --> 00:03:44,879 uh there was also some core packages 103 00:03:42,560 --> 00:03:46,959 such as the login utilities uh 104 00:03:44,879 --> 00:03:50,000 the the uh pam system for authenticating 105 00:03:46,959 --> 00:03:51,519 users crime etc had to be uh changed 106 00:03:50,000 --> 00:03:53,280 which for a while to maintain my own 107 00:03:51,519 --> 00:03:55,920 versions of these things 108 00:03:53,280 --> 00:03:57,680 and also policy button to allow uh 109 00:03:55,920 --> 00:03:59,519 everything that happens which i'll talk 110 00:03:57,680 --> 00:04:01,599 about later 111 00:03:59,519 --> 00:04:03,120 as an aside uh one of my pet peeves is 112 00:04:01,599 --> 00:04:04,640 when i talk about these sort of things 113 00:04:03,120 --> 00:04:06,879 and people go oh easy linux is really 114 00:04:04,640 --> 00:04:08,799 hard to use uh because it took russell's 115 00:04:06,879 --> 00:04:10,879 uh a year to get it working 116 00:04:08,799 --> 00:04:12,640 well it took me a year to get it working 117 00:04:10,879 --> 00:04:14,959 well enough that other people would do 118 00:04:12,640 --> 00:04:16,959 with almost no effort that the hard work 119 00:04:14,959 --> 00:04:19,280 is involved in getting software to the 120 00:04:16,959 --> 00:04:21,919 stage that other people can just uh 121 00:04:19,280 --> 00:04:25,120 install whatever work 122 00:04:21,919 --> 00:04:26,800 so se linux yes there are issues some 123 00:04:25,120 --> 00:04:29,440 aspects of it that require some effort 124 00:04:26,800 --> 00:04:32,240 for the to use but you have to do the 125 00:04:29,440 --> 00:04:32,240 hard things that i've done 126 00:04:32,479 --> 00:04:37,120 now one uh lesson uh i've learned about 127 00:04:35,600 --> 00:04:40,240 projects for long term 128 00:04:37,120 --> 00:04:43,040 is the value of documentation um 129 00:04:40,240 --> 00:04:45,360 only see linux like um pretty much all 130 00:04:43,040 --> 00:04:47,280 projects uh there's a lot of scope for 131 00:04:45,360 --> 00:04:48,639 improving documentation 132 00:04:47,280 --> 00:04:50,160 and 133 00:04:48,639 --> 00:04:51,919 good documentation helps developers as 134 00:04:50,160 --> 00:04:53,759 well as users even experienced 135 00:04:51,919 --> 00:04:55,120 developers 136 00:04:53,759 --> 00:04:57,199 you'll often 137 00:04:55,120 --> 00:04:59,199 not be able to memorize everything 138 00:04:57,199 --> 00:05:01,440 that's involved in it there was one 139 00:04:59,199 --> 00:05:03,440 stage when i had pretty much memorized 140 00:05:01,440 --> 00:05:05,280 all the essay linux policy the policies 141 00:05:03,440 --> 00:05:06,560 was there's a set of rules that 142 00:05:05,280 --> 00:05:08,160 determines what each program is allowed 143 00:05:06,560 --> 00:05:09,919 to do 144 00:05:08,160 --> 00:05:11,360 but it's much more complex now than it 145 00:05:09,919 --> 00:05:12,400 was then because there's more programs 146 00:05:11,360 --> 00:05:13,919 supported 147 00:05:12,400 --> 00:05:15,759 there's been more corner cases 148 00:05:13,919 --> 00:05:16,960 discovered of the operation of these 149 00:05:15,759 --> 00:05:18,960 programs 150 00:05:16,960 --> 00:05:19,759 so no one can really memorize everything 151 00:05:18,960 --> 00:05:22,080 and 152 00:05:19,759 --> 00:05:22,840 documentation is useful even people who 153 00:05:22,080 --> 00:05:24,960 are 154 00:05:22,840 --> 00:05:27,039 experts the best time to start writing 155 00:05:24,960 --> 00:05:28,960 documentation is when you join a project 156 00:05:27,039 --> 00:05:31,039 when you're an expert on something then 157 00:05:28,960 --> 00:05:32,800 everything seems obvious and 158 00:05:31,039 --> 00:05:34,880 it's hard to determine which of these 159 00:05:32,800 --> 00:05:36,080 things seem obvious to me are things 160 00:05:34,880 --> 00:05:38,400 that would not be obvious to other 161 00:05:36,080 --> 00:05:39,759 people whereas someone who's just joined 162 00:05:38,400 --> 00:05:41,919 there are some things that are not 163 00:05:39,759 --> 00:05:44,240 obvious them and as soon as they learn 164 00:05:41,919 --> 00:05:45,919 they can just document it usefully and 165 00:05:44,240 --> 00:05:47,120 provide a real 166 00:05:45,919 --> 00:05:50,800 improvement documentation for the 167 00:05:47,120 --> 00:05:50,800 benefit of all the other users 168 00:05:51,039 --> 00:05:55,120 and uh also documented writing 169 00:05:53,199 --> 00:05:56,800 documentation doesn't require uh much 170 00:05:55,120 --> 00:05:57,680 coding skills there's different types of 171 00:05:56,800 --> 00:05:58,960 organization of course the use 172 00:05:57,680 --> 00:06:01,520 documentation doesn't require much 173 00:05:58,960 --> 00:06:02,960 cutting skills there's also uh 174 00:06:01,520 --> 00:06:04,960 documentation on the bill process etc 175 00:06:02,960 --> 00:06:07,039 which requires some coding skills but a 176 00:06:04,960 --> 00:06:09,120 lot less than actually changing the code 177 00:06:07,039 --> 00:06:11,360 and i encourage anyone who wants to 178 00:06:09,120 --> 00:06:13,039 contribute to a project but doesn't uh 179 00:06:11,360 --> 00:06:15,520 think they're up to the coding in 180 00:06:13,039 --> 00:06:18,560 question to look into these areas 181 00:06:15,520 --> 00:06:20,479 and also there's wikis for all the 182 00:06:18,560 --> 00:06:22,639 different distributions of linux which 183 00:06:20,479 --> 00:06:25,520 can be improved a lot 184 00:06:22,639 --> 00:06:27,440 as an aside uh arc linux has a really 185 00:06:25,520 --> 00:06:28,960 really good wiki a lot of people done 186 00:06:27,440 --> 00:06:32,160 some great work on there 187 00:06:28,960 --> 00:06:33,360 devin wiki is quite useful 188 00:06:32,160 --> 00:06:36,479 but 189 00:06:33,360 --> 00:06:37,840 he's not up to the level of arc so um 190 00:06:36,479 --> 00:06:40,160 if people could improve that that would 191 00:06:37,840 --> 00:06:43,680 be really good it's something i try and 192 00:06:40,160 --> 00:06:43,680 spend some time on when i can 193 00:06:47,360 --> 00:06:53,039 now um with any sort of major project um 194 00:06:51,599 --> 00:06:54,880 no one is going to be skilled enough to 195 00:06:53,039 --> 00:06:57,919 do it without doing it before 196 00:06:54,880 --> 00:06:59,919 with uh ese linux for example the nsa 197 00:06:57,919 --> 00:07:01,039 people who are the original core 198 00:06:59,919 --> 00:07:02,479 developers 199 00:07:01,039 --> 00:07:04,000 they had worked on other similar 200 00:07:02,479 --> 00:07:06,160 projects before there were a number of 201 00:07:04,000 --> 00:07:08,000 other uh systems for other proprietary 202 00:07:06,160 --> 00:07:09,280 unique systems i believe there was a 203 00:07:08,000 --> 00:07:12,720 trusted i-rex there was a trusted 204 00:07:09,280 --> 00:07:14,800 solaris and several other commercial uh 205 00:07:12,720 --> 00:07:17,520 operating systems which had the security 206 00:07:14,800 --> 00:07:19,120 features that uh s links offers 207 00:07:17,520 --> 00:07:20,479 and they came from the background of 208 00:07:19,120 --> 00:07:21,919 having done that before and just doing 209 00:07:20,479 --> 00:07:23,280 it again 210 00:07:21,919 --> 00:07:25,840 which in some ways made it easier for 211 00:07:23,280 --> 00:07:28,560 them but also in other ways uh perhaps 212 00:07:25,840 --> 00:07:30,479 made a bit harder because the way that 213 00:07:28,560 --> 00:07:31,759 the type of changes that will be 214 00:07:30,479 --> 00:07:33,599 accepted by these commercial 215 00:07:31,759 --> 00:07:35,759 distributions are quite different from 216 00:07:33,599 --> 00:07:37,280 what would be set by linus 217 00:07:35,759 --> 00:07:39,120 so there were several different versions 218 00:07:37,280 --> 00:07:41,199 of these things uh 219 00:07:39,120 --> 00:07:45,360 before it got to the stage of uh having 220 00:07:41,199 --> 00:07:46,400 code that linus would accept 221 00:07:45,360 --> 00:07:47,919 so if you're going to work on a major 222 00:07:46,400 --> 00:07:49,120 project um 223 00:07:47,919 --> 00:07:52,960 if you want to 224 00:07:49,120 --> 00:07:55,680 do what i uh initially signed up to do 225 00:07:52,960 --> 00:07:56,560 i thought it would take two weeks 226 00:07:55,680 --> 00:07:58,960 that's 227 00:07:56,560 --> 00:08:00,000 a lot of work and 228 00:07:58,960 --> 00:08:01,680 to do 229 00:08:00,000 --> 00:08:03,919 to think you can do that requires 230 00:08:01,680 --> 00:08:05,599 stiffening overstating your skill or 231 00:08:03,919 --> 00:08:07,520 understanding the defeat of the project 232 00:08:05,599 --> 00:08:09,680 or both 233 00:08:07,520 --> 00:08:11,599 a better plan is to 234 00:08:09,680 --> 00:08:13,280 look at a smaller part of the project 235 00:08:11,599 --> 00:08:15,520 so in retrospect i could have been had a 236 00:08:13,280 --> 00:08:19,599 more accurate assessment situation and 237 00:08:15,520 --> 00:08:21,680 said okay i'll get the kernel code um 238 00:08:19,599 --> 00:08:23,520 uh set up in patches that against the 239 00:08:21,680 --> 00:08:25,360 debian kernel so other people can then 240 00:08:23,520 --> 00:08:27,199 work on some other areas and that would 241 00:08:25,360 --> 00:08:29,039 have been a realistic thing to achieve 242 00:08:27,199 --> 00:08:30,960 and then i could go okay let's get the 243 00:08:29,039 --> 00:08:33,680 login process going 244 00:08:30,960 --> 00:08:35,519 uh we're saying i'll just do everything 245 00:08:33,680 --> 00:08:37,360 and it can't be that hard 246 00:08:35,519 --> 00:08:38,719 it wasn't very realistic 247 00:08:37,360 --> 00:08:41,440 uh it ended up but i had enough spare 248 00:08:38,719 --> 00:08:42,240 time and energy 249 00:08:41,440 --> 00:08:44,399 to 250 00:08:42,240 --> 00:08:45,120 do it and learn all the skills i needed 251 00:08:44,399 --> 00:08:46,399 but 252 00:08:45,120 --> 00:08:49,120 that wouldn't necessarily be the case 253 00:08:46,399 --> 00:08:52,080 for anyone who might want to 254 00:08:49,120 --> 00:08:52,080 volunteer such things 255 00:08:52,240 --> 00:08:55,279 and 256 00:08:53,519 --> 00:08:57,360 one of the issues about selena is 257 00:08:55,279 --> 00:08:58,399 because it's a security system that 258 00:08:57,360 --> 00:09:00,959 covers 259 00:08:58,399 --> 00:09:02,399 um pretty much all aspects of the way 260 00:09:00,959 --> 00:09:03,279 programs run 261 00:09:02,399 --> 00:09:05,279 uh 262 00:09:03,279 --> 00:09:07,200 the process of writing the policy the 263 00:09:05,279 --> 00:09:08,880 policies the 264 00:09:07,200 --> 00:09:10,399 set of rules determine what each program 265 00:09:08,880 --> 00:09:11,839 can do 266 00:09:10,399 --> 00:09:14,560 requires 267 00:09:11,839 --> 00:09:16,800 understanding what all the programs do 268 00:09:14,560 --> 00:09:19,440 and not many people have that little 269 00:09:16,800 --> 00:09:21,120 understanding and the only way you can 270 00:09:19,440 --> 00:09:22,800 most people can get it is by writing 271 00:09:21,120 --> 00:09:24,480 such a 272 00:09:22,800 --> 00:09:26,000 set of rules 273 00:09:24,480 --> 00:09:28,240 so uh 274 00:09:26,000 --> 00:09:31,360 while the process of for example log 275 00:09:28,240 --> 00:09:32,880 into a system might seem simple 276 00:09:31,360 --> 00:09:34,959 it's actually more complicated than you 277 00:09:32,880 --> 00:09:36,480 expect you have the 278 00:09:34,959 --> 00:09:39,360 pam system pluggable authentication 279 00:09:36,480 --> 00:09:41,120 modules that can run extra programs to 280 00:09:39,360 --> 00:09:43,519 do various tasks 281 00:09:41,120 --> 00:09:43,519 and then 282 00:09:43,839 --> 00:09:47,839 the way these programs interact is more 283 00:09:46,000 --> 00:09:50,800 complex than most people expect 284 00:09:47,839 --> 00:09:52,000 one example is 285 00:09:50,800 --> 00:09:55,279 there's a 286 00:09:52,000 --> 00:09:57,760 set uid root program that's launched by 287 00:09:55,279 --> 00:10:02,079 pam to check passwords 288 00:09:57,760 --> 00:10:05,120 and um it made sense to have this 289 00:10:02,079 --> 00:10:08,240 run on this linux system even if uh 290 00:10:05,120 --> 00:10:09,440 you're authenticating uh via a root 291 00:10:08,240 --> 00:10:11,279 process 292 00:10:09,440 --> 00:10:13,600 and um 293 00:10:11,279 --> 00:10:16,640 this um the code wasn't written that way 294 00:10:13,600 --> 00:10:17,360 initially it was written that said 295 00:10:16,640 --> 00:10:19,200 if 296 00:10:17,360 --> 00:10:22,640 is zero then we'll just read the shadow 297 00:10:19,200 --> 00:10:24,720 file if not then we'll um 298 00:10:22,640 --> 00:10:25,839 run this set ud program 299 00:10:24,720 --> 00:10:29,200 and what we want to do is have this 300 00:10:25,839 --> 00:10:31,200 program not only be set uid but also uh 301 00:10:29,200 --> 00:10:33,040 have a domain transition for different 302 00:10:31,200 --> 00:10:34,800 selenium security context 303 00:10:33,040 --> 00:10:36,720 so that the calling code even it's 304 00:10:34,800 --> 00:10:38,959 running as root won't have the ability 305 00:10:36,720 --> 00:10:42,079 to read the shadow password file 306 00:10:38,959 --> 00:10:42,079 and a lot of little things like that 307 00:10:42,480 --> 00:10:47,040 resulted in 308 00:10:44,079 --> 00:10:48,160 ongoing work to uh maintain the patches 309 00:10:47,040 --> 00:10:50,640 going forward 310 00:10:48,160 --> 00:10:51,680 which uh wasn't seen uh 311 00:10:50,640 --> 00:10:53,920 you know before i started working on 312 00:10:51,680 --> 00:10:53,920 this 313 00:10:55,200 --> 00:10:58,399 now the history of s linux so the first 314 00:10:56,959 --> 00:10:59,680 version of selinux which i never 315 00:10:58,399 --> 00:11:00,959 actually used 316 00:10:59,680 --> 00:11:03,360 relied on 317 00:11:00,959 --> 00:11:04,480 structure changes to the exc2 file 318 00:11:03,360 --> 00:11:06,880 system 319 00:11:04,480 --> 00:11:09,600 and this is the same this was done for 320 00:11:06,880 --> 00:11:11,760 these the commercial museums i believe 321 00:11:09,600 --> 00:11:14,800 so basically they found some unused 322 00:11:11,760 --> 00:11:18,079 space in the inodes and use them for 323 00:11:14,800 --> 00:11:19,760 indexes into a list of security contexts 324 00:11:18,079 --> 00:11:22,160 so you map the google chronic switch 325 00:11:19,760 --> 00:11:24,160 file to this inode entry 326 00:11:22,160 --> 00:11:27,040 um that worked for commercial unit 327 00:11:24,160 --> 00:11:28,560 systems and that was something that 328 00:11:27,040 --> 00:11:29,920 linus 329 00:11:28,560 --> 00:11:32,560 and the 330 00:11:29,920 --> 00:11:33,680 other people involved in ec2 would never 331 00:11:32,560 --> 00:11:35,279 accept 332 00:11:33,680 --> 00:11:37,120 and also something that would never work 333 00:11:35,279 --> 00:11:38,399 with um 334 00:11:37,120 --> 00:11:39,760 well 335 00:11:38,399 --> 00:11:41,360 would not easily at least work with 336 00:11:39,760 --> 00:11:42,399 other file systems 337 00:11:41,360 --> 00:11:44,640 so if that 338 00:11:42,399 --> 00:11:47,600 system is going to be used you need to 339 00:11:44,640 --> 00:11:51,040 have a similar patch for every fast and 340 00:11:47,600 --> 00:11:53,760 supported and for every fsc program fsck 341 00:11:51,040 --> 00:11:56,399 program etc and they'll be a huge amount 342 00:11:53,760 --> 00:11:58,160 of work going forward 343 00:11:56,399 --> 00:11:59,760 so the second version had a database 344 00:11:58,160 --> 00:12:01,040 stored in root directory which is run by 345 00:11:59,760 --> 00:12:04,079 the kernel 346 00:12:01,040 --> 00:12:05,839 and another thing that uh one thing that 347 00:12:04,079 --> 00:12:08,560 always gets rejected by the kernel 348 00:12:05,839 --> 00:12:10,720 maintainers is having the kernel 349 00:12:08,560 --> 00:12:12,639 open files directly it's almost 350 00:12:10,720 --> 00:12:14,560 universally rejected and definitely 351 00:12:12,639 --> 00:12:16,399 having the kernel 352 00:12:14,560 --> 00:12:18,240 open a database file and do database 353 00:12:16,399 --> 00:12:19,519 operations on it 354 00:12:18,240 --> 00:12:20,800 that would be probably 355 00:12:19,519 --> 00:12:23,760 even 356 00:12:20,800 --> 00:12:26,880 more worthy being rejected 357 00:12:23,760 --> 00:12:27,760 so uh but that got rejected as well 358 00:12:26,880 --> 00:12:30,720 um 359 00:12:27,760 --> 00:12:33,600 also uh one of uh linus's criticisms of 360 00:12:30,720 --> 00:12:34,880 basic limiting this stage was that it 361 00:12:33,600 --> 00:12:36,480 wasn't designed to work with other 362 00:12:34,880 --> 00:12:40,240 security systems 363 00:12:36,480 --> 00:12:42,399 so the uh aim of the nsa people was that 364 00:12:40,240 --> 00:12:44,399 uh se linux does everything you you 365 00:12:42,399 --> 00:12:45,519 should want to do in terms of uh access 366 00:12:44,399 --> 00:12:47,279 control 367 00:12:45,519 --> 00:12:49,200 uh as i said 368 00:12:47,279 --> 00:12:50,639 i'm not going to speak much about the 369 00:12:49,200 --> 00:12:53,279 way eclipse works i've spoken about it 370 00:12:50,639 --> 00:12:55,440 before there's various uh youtube videos 371 00:12:53,279 --> 00:12:57,600 of people who watched about it before 372 00:12:55,440 --> 00:12:59,920 uh this talk is all about the villain 373 00:12:57,600 --> 00:13:01,600 process uh i encourage people to read 374 00:12:59,920 --> 00:13:03,200 those books about it as well over my 375 00:13:01,600 --> 00:13:04,639 shoulder you can see uh some books i've 376 00:13:03,200 --> 00:13:05,760 got on display 377 00:13:04,639 --> 00:13:06,480 there's lots of documentation on these 378 00:13:05,760 --> 00:13:08,639 things 379 00:13:06,480 --> 00:13:10,399 uh but uh so here i'm here to talk about 380 00:13:08,639 --> 00:13:12,160 the development process 381 00:13:10,399 --> 00:13:13,040 so um 382 00:13:12,160 --> 00:13:15,120 one 383 00:13:13,040 --> 00:13:17,200 one sort of difference of opinion among 384 00:13:15,120 --> 00:13:18,240 developers was that uh the nsap will 385 00:13:17,200 --> 00:13:20,639 believe that 386 00:13:18,240 --> 00:13:23,200 uh se linux is something everyone should 387 00:13:20,639 --> 00:13:25,040 use does everything you need you don't 388 00:13:23,200 --> 00:13:29,279 need to have another mantrax control 389 00:13:25,040 --> 00:13:31,440 system whereas uh lunas uh almost always 390 00:13:29,279 --> 00:13:33,680 believes there should be alternatives 391 00:13:31,440 --> 00:13:34,880 and for everything you should uh might 392 00:13:33,680 --> 00:13:36,000 want to do there should be another way 393 00:13:34,880 --> 00:13:37,680 of doing it 394 00:13:36,000 --> 00:13:39,839 so this is a fundamental difference 395 00:13:37,680 --> 00:13:42,160 opinion here and of course 396 00:13:39,839 --> 00:13:45,199 lunas gets to make the decision 397 00:13:42,160 --> 00:13:46,320 so uh that means the colonel patches had 398 00:13:45,199 --> 00:13:47,519 to all 399 00:13:46,320 --> 00:13:50,320 change 400 00:13:47,519 --> 00:13:52,320 to uh meteorologist requirements 401 00:13:50,320 --> 00:13:54,720 so this resulted in the development of 402 00:13:52,320 --> 00:13:56,160 the lsm the linux security module 403 00:13:54,720 --> 00:13:58,560 project 404 00:13:56,160 --> 00:14:00,639 and so lsm is a set of interfaces the 405 00:13:58,560 --> 00:14:01,760 kernel for various action control 406 00:14:00,639 --> 00:14:03,360 methods 407 00:14:01,760 --> 00:14:06,160 and that means that 408 00:14:03,360 --> 00:14:08,399 after you have lsm patched in 409 00:14:06,160 --> 00:14:10,000 it can then call any other security 410 00:14:08,399 --> 00:14:11,440 module that can do different things 411 00:14:10,000 --> 00:14:12,800 these things 412 00:14:11,440 --> 00:14:15,440 so the initial 413 00:14:12,800 --> 00:14:16,560 development of lsm was with s linux and 414 00:14:15,440 --> 00:14:19,279 app armor 415 00:14:16,560 --> 00:14:21,519 so app armor is a file name uh based 416 00:14:19,279 --> 00:14:22,800 access control system and it's designed 417 00:14:21,519 --> 00:14:25,360 to 418 00:14:22,800 --> 00:14:28,720 only restrict certain programs 419 00:14:25,360 --> 00:14:30,320 so for example in debian you have nappa 420 00:14:28,720 --> 00:14:33,440 set up this that 421 00:14:30,320 --> 00:14:35,120 is fairly default which uh restricts 422 00:14:33,440 --> 00:14:36,639 programs like apache which is a useful 423 00:14:35,120 --> 00:14:39,360 thing to have but doesn't restrict 424 00:14:36,639 --> 00:14:41,600 everything else whereas the way selinux 425 00:14:39,360 --> 00:14:44,240 works is it's based on 426 00:14:41,600 --> 00:14:45,680 reproducing accessifier inodes so a file 427 00:14:44,240 --> 00:14:46,959 is renamed that doesn't change the 428 00:14:45,680 --> 00:14:49,600 access the file 429 00:14:46,959 --> 00:14:52,959 and files are labeled when they created 430 00:14:49,600 --> 00:14:55,199 and uh not labeled any other way unless 431 00:14:52,959 --> 00:14:57,440 you explicitly try decide to relabel 432 00:14:55,199 --> 00:14:59,279 them whereas just based around fire 433 00:14:57,440 --> 00:15:00,639 names so there's different uh approaches 434 00:14:59,279 --> 00:15:02,399 to security 435 00:15:00,639 --> 00:15:04,639 and so the developers were the other 436 00:15:02,399 --> 00:15:06,880 developers who were working on lsm 437 00:15:04,639 --> 00:15:08,959 and so initial uh 438 00:15:06,880 --> 00:15:11,360 support of lsm that was uh those two 439 00:15:08,959 --> 00:15:13,440 systems that were included in the kernel 440 00:15:11,360 --> 00:15:14,480 patches 441 00:15:13,440 --> 00:15:15,519 and 442 00:15:14,480 --> 00:15:16,800 then 443 00:15:15,519 --> 00:15:18,720 also 444 00:15:16,800 --> 00:15:19,760 casey developed smack 445 00:15:18,720 --> 00:15:22,959 which was 446 00:15:19,760 --> 00:15:24,079 sort of inspired by selinx 447 00:15:22,959 --> 00:15:27,120 and 448 00:15:24,079 --> 00:15:28,399 permitted by the lsm so when clsm 449 00:15:27,120 --> 00:15:31,120 interface are in place and you might 450 00:15:28,399 --> 00:15:32,639 write any security module feel easily 451 00:15:31,120 --> 00:15:34,480 and now there's a heap of them uh 452 00:15:32,639 --> 00:15:35,680 there's uh 453 00:15:34,480 --> 00:15:36,639 i haven't even kept track of how many 454 00:15:35,680 --> 00:15:38,240 there are 455 00:15:36,639 --> 00:15:41,040 and the lcm interface i think has been a 456 00:15:38,240 --> 00:15:42,240 really good thing for linux and linux 457 00:15:41,040 --> 00:15:43,920 security 458 00:15:42,240 --> 00:15:46,560 and um 459 00:15:43,920 --> 00:15:49,279 this is one example of seo linux having 460 00:15:46,560 --> 00:15:51,360 given real benefits for security to 461 00:15:49,279 --> 00:15:53,120 people who don't even want to don't even 462 00:15:51,360 --> 00:15:54,639 like spss linux 463 00:15:53,120 --> 00:15:56,160 so even if you don't want to use s linux 464 00:15:54,639 --> 00:15:57,600 then you've got choices of app armor 465 00:15:56,160 --> 00:15:58,800 smack and other things 466 00:15:57,600 --> 00:16:00,800 which wouldn't have been there if it 467 00:15:58,800 --> 00:16:03,440 hadn't been for the se linux kernel 468 00:16:00,800 --> 00:16:07,240 development and the process iteration to 469 00:16:03,440 --> 00:16:07,240 meet linux's requirements 470 00:16:09,440 --> 00:16:15,920 so in the final uh release of s linux uh 471 00:16:12,800 --> 00:16:18,560 we're using etc for the file labeling 472 00:16:15,920 --> 00:16:21,360 and that's what uh is being used today 473 00:16:18,560 --> 00:16:22,880 with uh no plans for changing so now 474 00:16:21,360 --> 00:16:25,360 there's a security 475 00:16:22,880 --> 00:16:28,240 namespace for examples for racy linux 476 00:16:25,360 --> 00:16:28,240 and for other things 477 00:16:29,680 --> 00:16:35,560 now for the policy development the the 478 00:16:32,079 --> 00:16:35,560 policy was 479 00:16:38,079 --> 00:16:43,199 sorry my monitor's 480 00:16:40,079 --> 00:16:46,079 wobbling contraction okay uh the policy 481 00:16:43,199 --> 00:16:48,000 was originally written in m4 macros 482 00:16:46,079 --> 00:16:50,160 and uh 483 00:16:48,000 --> 00:16:52,880 there was uh 484 00:16:50,160 --> 00:16:54,880 the way it was distributed was uh as 485 00:16:52,880 --> 00:16:56,880 policy source files which were then 486 00:16:54,880 --> 00:16:59,279 compiled on install 487 00:16:56,880 --> 00:17:00,959 because uh with the way it worked um to 488 00:16:59,279 --> 00:17:02,240 make any change you had to do a 489 00:17:00,959 --> 00:17:05,520 recompile 490 00:17:02,240 --> 00:17:07,919 and um 491 00:17:05,520 --> 00:17:09,199 for most cases se linux 492 00:17:07,919 --> 00:17:10,959 isn't 493 00:17:09,199 --> 00:17:13,120 easy to use unless you have the ability 494 00:17:10,959 --> 00:17:15,039 to train your own policies 495 00:17:13,120 --> 00:17:17,439 so you can build a policy for a 496 00:17:15,039 --> 00:17:19,439 particular use case then roll it out to 497 00:17:17,439 --> 00:17:21,679 100 machines thousand machines 498 00:17:19,439 --> 00:17:24,400 uh without changes that works fine 499 00:17:21,679 --> 00:17:26,880 but actually if you want to um develop 500 00:17:24,400 --> 00:17:28,480 the creation of your 501 00:17:26,880 --> 00:17:29,919 systems 502 00:17:28,480 --> 00:17:32,000 having a 503 00:17:29,919 --> 00:17:33,679 distributions policy with no changes at 504 00:17:32,000 --> 00:17:35,039 all probably isn't going to work that 505 00:17:33,679 --> 00:17:37,280 well because there'll be some corner 506 00:17:35,039 --> 00:17:40,160 case that you have that they didn't 507 00:17:37,280 --> 00:17:43,440 cover you're running a demon that uh 508 00:17:40,160 --> 00:17:45,039 the distribution developers uh didn't uh 509 00:17:43,440 --> 00:17:47,280 plan on you running 510 00:17:45,039 --> 00:17:49,360 your uh installing things in different 511 00:17:47,280 --> 00:17:51,039 directories or there's some other uh 512 00:17:49,360 --> 00:17:53,120 difference 513 00:17:51,039 --> 00:17:54,640 with demons like apache apache is 514 00:17:53,120 --> 00:17:55,840 extremely configurable 515 00:17:54,640 --> 00:17:57,760 and 516 00:17:55,840 --> 00:17:59,600 writing policy to cover all possible 517 00:17:57,760 --> 00:18:02,160 configuration options this isn't really 518 00:17:59,600 --> 00:18:04,160 possible given that apache has 519 00:18:02,160 --> 00:18:05,919 shared objects to plug in for many 520 00:18:04,160 --> 00:18:07,679 different programming languages and they 521 00:18:05,919 --> 00:18:09,760 all have slightly different security 522 00:18:07,679 --> 00:18:10,640 requirements 523 00:18:09,760 --> 00:18:13,360 so 524 00:18:10,640 --> 00:18:15,679 to use easylinks you require 525 00:18:13,360 --> 00:18:18,240 some local configurations in the first 526 00:18:15,679 --> 00:18:21,200 releases of esa linux that required 527 00:18:18,240 --> 00:18:22,160 compiling the source the policy 528 00:18:21,200 --> 00:18:26,320 which 529 00:18:22,160 --> 00:18:27,360 in the long term wasn't a good option 530 00:18:26,320 --> 00:18:30,480 so 531 00:18:27,360 --> 00:18:31,520 the the version that was uh developed uh 532 00:18:30,480 --> 00:18:33,919 later on 533 00:18:31,520 --> 00:18:36,880 uh i think they came in to be um 534 00:18:33,919 --> 00:18:39,360 the first release fedora core five uh 535 00:18:36,880 --> 00:18:41,600 was the uh modular policy which has 536 00:18:39,360 --> 00:18:43,600 dependencies in the policy files 537 00:18:41,600 --> 00:18:46,480 and so basically you can load a you have 538 00:18:43,600 --> 00:18:48,880 a module defined which 539 00:18:46,480 --> 00:18:51,520 specifies which 540 00:18:48,880 --> 00:18:52,960 types in the policy it depends on and 541 00:18:51,520 --> 00:18:54,320 they can be loaded into the policy first 542 00:18:52,960 --> 00:18:56,799 types defined 543 00:18:54,320 --> 00:18:59,360 types are the labels for 544 00:18:56,799 --> 00:19:00,799 processes files or other objects 545 00:18:59,360 --> 00:19:02,000 accessed by the 546 00:19:00,799 --> 00:19:03,360 system 547 00:19:02,000 --> 00:19:05,760 and so 548 00:19:03,360 --> 00:19:08,080 for example you had a 549 00:19:05,760 --> 00:19:10,240 policy module that 550 00:19:08,080 --> 00:19:13,120 related to the apache policy you would 551 00:19:10,240 --> 00:19:14,640 say you depend on the httpd unscore t 552 00:19:13,120 --> 00:19:16,080 type 553 00:19:14,640 --> 00:19:19,520 and then you could load whenever the 554 00:19:16,080 --> 00:19:19,520 parties policies loaded 555 00:19:20,000 --> 00:19:23,280 now speaking of the 556 00:19:21,520 --> 00:19:25,200 changes made 557 00:19:23,280 --> 00:19:27,120 to other things foreign 558 00:19:25,200 --> 00:19:28,480 because of s linux 559 00:19:27,120 --> 00:19:30,880 there have been a number of daemons 560 00:19:28,480 --> 00:19:33,679 which have been changed because 561 00:19:30,880 --> 00:19:34,799 so with selinux controlling 562 00:19:33,679 --> 00:19:36,000 the 563 00:19:34,799 --> 00:19:38,799 use of 564 00:19:36,000 --> 00:19:41,039 write executed memory uh there's been a 565 00:19:38,799 --> 00:19:43,360 number of cases of demons which uh have 566 00:19:41,039 --> 00:19:44,640 requested executable stacks and 567 00:19:43,360 --> 00:19:46,960 requested 568 00:19:44,640 --> 00:19:48,480 right execute memory mapping which never 569 00:19:46,960 --> 00:19:51,360 actually needed it 570 00:19:48,480 --> 00:19:53,600 and essie linux policy made these 571 00:19:51,360 --> 00:19:54,960 problems more obvious so then they could 572 00:19:53,600 --> 00:19:57,440 be fixed and 573 00:19:54,960 --> 00:19:59,360 people who don't use s linux could then 574 00:19:57,440 --> 00:20:01,600 have these programs run without 575 00:19:59,360 --> 00:20:03,760 accessible stacks without the ability to 576 00:20:01,600 --> 00:20:04,840 write and execute memory 577 00:20:03,760 --> 00:20:07,520 and the 578 00:20:04,840 --> 00:20:10,159 uh security would improve without them 579 00:20:07,520 --> 00:20:11,760 even knowing it without using selinux 580 00:20:10,159 --> 00:20:14,080 and also uh 581 00:20:11,760 --> 00:20:16,799 there are choices uh made available 582 00:20:14,080 --> 00:20:18,240 so uh for some kind for um 583 00:20:16,799 --> 00:20:19,520 programs that use just-in-time 584 00:20:18,240 --> 00:20:22,159 compilation 585 00:20:19,520 --> 00:20:23,919 which includes a lot of interpreters as 586 00:20:22,159 --> 00:20:25,679 well as some 587 00:20:23,919 --> 00:20:27,280 things you might not expect 588 00:20:25,679 --> 00:20:29,679 such as 589 00:20:27,280 --> 00:20:30,640 one stage the clan maybe anti-virus 590 00:20:29,679 --> 00:20:31,520 scanning 591 00:20:30,640 --> 00:20:32,720 system 592 00:20:31,520 --> 00:20:34,720 used 593 00:20:32,720 --> 00:20:37,120 just in time compilation as uh part of 594 00:20:34,720 --> 00:20:38,799 its optimizations 595 00:20:37,120 --> 00:20:40,240 these things can be with this elites you 596 00:20:38,799 --> 00:20:41,280 can turn them on or turn them off in the 597 00:20:40,240 --> 00:20:43,760 policy 598 00:20:41,280 --> 00:20:45,919 and so in that case might mean your uh 599 00:20:43,760 --> 00:20:47,760 antivirus and runs a little slower 600 00:20:45,919 --> 00:20:49,840 if you have plenty of cpu power and are 601 00:20:47,760 --> 00:20:51,360 concerned about security you can do that 602 00:20:49,840 --> 00:20:53,039 or if you have 603 00:20:51,360 --> 00:20:54,080 a huge amount of email to scan the 604 00:20:53,039 --> 00:20:56,080 viruses 605 00:20:54,080 --> 00:20:57,760 and uh you're not sorry about security 606 00:20:56,080 --> 00:21:00,159 you have the choice to 607 00:20:57,760 --> 00:21:02,400 allow the just-in-time compilation 608 00:21:00,159 --> 00:21:04,640 and in both cases uh it's something that 609 00:21:02,400 --> 00:21:06,720 the developers upstream were aware of 610 00:21:04,640 --> 00:21:08,320 and could then write their codes to 611 00:21:06,720 --> 00:21:11,200 support both cases 612 00:21:08,320 --> 00:21:13,360 so if someone uh who doesn't like ac 613 00:21:11,200 --> 00:21:14,960 bluemix is running a clan movie they 614 00:21:13,360 --> 00:21:17,280 could use a different security system 615 00:21:14,960 --> 00:21:19,840 one of the other lsms that also 616 00:21:17,280 --> 00:21:21,280 restricts uh executable 617 00:21:19,840 --> 00:21:22,720 invitable memory 618 00:21:21,280 --> 00:21:24,880 and uh 619 00:21:22,720 --> 00:21:27,039 claim iv would work with it which is a 620 00:21:24,880 --> 00:21:28,559 nice feature 621 00:21:27,039 --> 00:21:31,760 another example is 622 00:21:28,559 --> 00:21:35,039 when i was in japan one time i had some 623 00:21:31,760 --> 00:21:36,240 friends uh show me a program that uh 624 00:21:35,039 --> 00:21:37,200 wasn't working with their siblings 625 00:21:36,240 --> 00:21:39,760 policy 626 00:21:37,200 --> 00:21:41,440 this program to allow um 627 00:21:39,760 --> 00:21:44,559 type in kanji 628 00:21:41,440 --> 00:21:46,640 and the way it would work is you'll be 629 00:21:44,559 --> 00:21:48,159 using wordpress or any other 630 00:21:46,640 --> 00:21:50,559 text editing program 631 00:21:48,159 --> 00:21:52,960 and you type in words in romanji that is 632 00:21:50,559 --> 00:21:55,520 the latin alphabet we use 633 00:21:52,960 --> 00:21:57,760 and then it would prompt you 634 00:21:55,520 --> 00:22:00,080 with kanji letters to replace some of 635 00:21:57,760 --> 00:22:02,799 these romanji words 636 00:22:00,080 --> 00:22:05,840 and uh the way it worked is um the demon 637 00:22:02,799 --> 00:22:08,480 that does the translation between uh 638 00:22:05,840 --> 00:22:10,400 romanji these words we could type in our 639 00:22:08,480 --> 00:22:15,840 keyboards 640 00:22:10,400 --> 00:22:18,320 to the kanji characters was via a um 641 00:22:15,840 --> 00:22:20,400 named pipe under slash champ 642 00:22:18,320 --> 00:22:21,280 also known a unix main socket and under 643 00:22:20,400 --> 00:22:23,440 temp 644 00:22:21,280 --> 00:22:26,720 i don't mean of course that 645 00:22:23,440 --> 00:22:28,640 basically everything you typed on such a 646 00:22:26,720 --> 00:22:30,400 configuration of japanese system would 647 00:22:28,640 --> 00:22:33,039 be sent to this 648 00:22:30,400 --> 00:22:34,640 name named pipe under slash champ 649 00:22:33,039 --> 00:22:35,760 and therefore if the demon hadn't 650 00:22:34,640 --> 00:22:38,240 started 651 00:22:35,760 --> 00:22:40,880 and a hostile process 652 00:22:38,240 --> 00:22:42,480 had created a name pipe under that name 653 00:22:40,880 --> 00:22:45,280 you'll just see everything you type 654 00:22:42,480 --> 00:22:47,520 which could be a major security issue 655 00:22:45,280 --> 00:22:48,720 now it is possible with selinux to make 656 00:22:47,520 --> 00:22:50,559 it 657 00:22:48,720 --> 00:22:52,320 slightly less insecure 658 00:22:50,559 --> 00:22:53,679 and that means that instead of having 659 00:22:52,320 --> 00:22:56,320 any programming system being able to 660 00:22:53,679 --> 00:22:58,799 create that uh 661 00:22:56,320 --> 00:23:00,320 unix main socket you could be restricted 662 00:22:58,799 --> 00:23:03,600 to only 663 00:23:00,320 --> 00:23:05,679 processes in certain contexts 664 00:23:03,600 --> 00:23:08,720 but that could still be a problem so for 665 00:23:05,679 --> 00:23:11,280 example if you have a multi-user system 666 00:23:08,720 --> 00:23:12,799 with multiple people running in the same 667 00:23:11,280 --> 00:23:14,320 security context or similar security 668 00:23:12,799 --> 00:23:16,159 context 669 00:23:14,320 --> 00:23:18,320 running word processes 670 00:23:16,159 --> 00:23:20,799 one of them could if the demon wasn't 671 00:23:18,320 --> 00:23:23,280 running start their own process and 672 00:23:20,799 --> 00:23:24,159 proxy the other user's data and see it 673 00:23:23,280 --> 00:23:26,480 all 674 00:23:24,159 --> 00:23:28,720 so in this case i said no we can't write 675 00:23:26,480 --> 00:23:31,360 esthetics policy to 676 00:23:28,720 --> 00:23:33,760 allow this program to run as a daemon 677 00:23:31,360 --> 00:23:35,440 and listen to a unix domain socket in 678 00:23:33,760 --> 00:23:37,200 slash champ we need to find a better 679 00:23:35,440 --> 00:23:38,480 place for maybe something under the 680 00:23:37,200 --> 00:23:39,919 fastest lube 681 00:23:38,480 --> 00:23:42,480 and 682 00:23:39,919 --> 00:23:45,039 avoid these problems so for example you 683 00:23:42,480 --> 00:23:46,880 have a directory under slash lib that is 684 00:23:45,039 --> 00:23:48,799 only writable by 685 00:23:46,880 --> 00:23:51,520 root or by 686 00:23:48,799 --> 00:23:52,799 a user id just for that demon 687 00:23:51,520 --> 00:23:54,720 then 688 00:23:52,799 --> 00:23:56,799 most the problems 689 00:23:54,720 --> 00:23:59,799 of this potential processing data go 690 00:23:56,799 --> 00:23:59,799 away 691 00:24:05,200 --> 00:24:10,400 now um when i first started um 692 00:24:08,640 --> 00:24:12,720 getting something to work on debian 693 00:24:10,400 --> 00:24:16,159 there was at the time a practice of 694 00:24:12,720 --> 00:24:18,000 having uh debian kernel patch packages 695 00:24:16,159 --> 00:24:20,320 so the idea being that you could get the 696 00:24:18,000 --> 00:24:23,039 uh standard debian kernel source that 697 00:24:20,320 --> 00:24:24,400 was uh used producing the um 698 00:24:23,039 --> 00:24:26,720 official 699 00:24:24,400 --> 00:24:29,279 debian kernel image packages 700 00:24:26,720 --> 00:24:31,039 and uh patch it uh for whatever you want 701 00:24:29,279 --> 00:24:32,559 to patch it for and then build your own 702 00:24:31,039 --> 00:24:34,000 kernel which is the same as the debian 703 00:24:32,559 --> 00:24:35,360 one 704 00:24:34,000 --> 00:24:36,400 apart from the change that you need to 705 00:24:35,360 --> 00:24:38,880 have 706 00:24:36,400 --> 00:24:41,120 uh as opposed to getting a upstream 707 00:24:38,880 --> 00:24:42,480 kernel from kernel.org and then missing 708 00:24:41,120 --> 00:24:44,720 out on the 709 00:24:42,480 --> 00:24:46,799 debian patches which might be something 710 00:24:44,720 --> 00:24:48,799 you actually need 711 00:24:46,799 --> 00:24:51,679 so i maintained uh deviant kernel 712 00:24:48,799 --> 00:24:53,760 packages for uh current patch packages 713 00:24:51,679 --> 00:24:56,000 for se linux and uh then later on i 714 00:24:53,760 --> 00:24:57,520 separate packages for lsm and s linux 715 00:24:56,000 --> 00:24:59,360 for a number of years while it was going 716 00:24:57,520 --> 00:25:00,559 through the process of meeting linux 717 00:24:59,360 --> 00:25:02,159 criteria 718 00:25:00,559 --> 00:25:04,640 and until we 719 00:25:02,159 --> 00:25:06,320 until linus was satisfied and just got 720 00:25:04,640 --> 00:25:09,039 included in the 721 00:25:06,320 --> 00:25:09,039 upstream kernel 722 00:25:13,600 --> 00:25:17,840 so in retrospect um 723 00:25:15,760 --> 00:25:20,080 there could have been uh some time and 724 00:25:17,840 --> 00:25:22,640 effort saved uh 725 00:25:20,080 --> 00:25:24,400 by the nsa people and by everyone else 726 00:25:22,640 --> 00:25:27,120 who's involved in working on it if 727 00:25:24,400 --> 00:25:28,480 there'd been fewer uh implementations of 728 00:25:27,120 --> 00:25:30,720 labeling 729 00:25:28,480 --> 00:25:30,720 um 730 00:25:30,880 --> 00:25:35,840 the initial decision to just 731 00:25:33,279 --> 00:25:37,760 use one use field in the xt2 file system 732 00:25:35,840 --> 00:25:39,919 that wasn't necessarily a bad thing 733 00:25:37,760 --> 00:25:42,159 because 734 00:25:39,919 --> 00:25:43,600 they wanted to just quickly uh get a 735 00:25:42,159 --> 00:25:46,320 prototype going 736 00:25:43,600 --> 00:25:48,720 and uh i guess that's the stage perhaps 737 00:25:46,320 --> 00:25:51,520 uh it wasn't certain how we'll be 738 00:25:48,720 --> 00:25:56,559 supported and what the future would be 739 00:25:51,520 --> 00:25:58,960 um but uh later on i think perhaps etc 740 00:25:56,559 --> 00:26:00,720 could have been predicted to be a better 741 00:25:58,960 --> 00:26:03,120 a more supported limit to luna's 742 00:26:00,720 --> 00:26:03,120 solution 743 00:26:03,440 --> 00:26:08,320 um as an aside um 744 00:26:05,679 --> 00:26:10,640 after we got ac links included upstream 745 00:26:08,320 --> 00:26:12,640 and included in debian and 746 00:26:10,640 --> 00:26:15,120 centos 747 00:26:12,640 --> 00:26:16,480 lunas apparently still didn't uh like 748 00:26:15,120 --> 00:26:19,919 easy linux at all 749 00:26:16,480 --> 00:26:22,320 um one time he met with me at lca to 750 00:26:19,919 --> 00:26:23,679 just um tell me that uh he didn't like 751 00:26:22,320 --> 00:26:26,080 se linux which was an interesting 752 00:26:23,679 --> 00:26:26,080 experience 753 00:26:27,760 --> 00:26:31,360 so 754 00:26:29,360 --> 00:26:33,600 one of the things that i'm 755 00:26:31,360 --> 00:26:35,360 known for uh is running what i call 756 00:26:33,600 --> 00:26:37,440 excluding play machines 757 00:26:35,360 --> 00:26:39,039 and this is a machine where i set up 758 00:26:37,440 --> 00:26:40,320 root as the 759 00:26:39,039 --> 00:26:41,120 guest account 760 00:26:40,320 --> 00:26:43,039 and 761 00:26:41,120 --> 00:26:45,200 allow people from all over the internet 762 00:26:43,039 --> 00:26:48,159 to log in and just try it out so 763 00:26:45,200 --> 00:26:50,480 basically it means having no usable unix 764 00:26:48,159 --> 00:26:52,720 permissions use access controls and just 765 00:26:50,480 --> 00:26:56,480 using selinux 766 00:26:52,720 --> 00:26:57,440 so that's been uh fun um 767 00:26:56,480 --> 00:26:58,960 i guess 768 00:26:57,440 --> 00:27:00,960 it's a possibility you could describe 769 00:26:58,960 --> 00:27:02,480 this as a form of trolling 770 00:27:00,960 --> 00:27:04,640 um 771 00:27:02,480 --> 00:27:06,880 it's a better opinion on how it works uh 772 00:27:04,640 --> 00:27:09,360 i think it was a useful project in terms 773 00:27:06,880 --> 00:27:10,640 of testing as you linux 774 00:27:09,360 --> 00:27:14,480 and 775 00:27:10,640 --> 00:27:15,919 teaching random people about it and also 776 00:27:14,480 --> 00:27:19,039 learning about 777 00:27:15,919 --> 00:27:20,960 how security works 778 00:27:19,039 --> 00:27:23,279 and along the way uh there are a number 779 00:27:20,960 --> 00:27:25,600 of times when uh 780 00:27:23,279 --> 00:27:27,200 uh other people uh 781 00:27:25,600 --> 00:27:28,399 gained more access than expected to the 782 00:27:27,200 --> 00:27:30,480 machine 783 00:27:28,399 --> 00:27:32,000 and told me about it which is good 784 00:27:30,480 --> 00:27:32,880 so the first version of the play machine 785 00:27:32,000 --> 00:27:34,480 um 786 00:27:32,880 --> 00:27:35,760 didn't have a separate label for the 787 00:27:34,480 --> 00:27:38,960 shadow file 788 00:27:35,760 --> 00:27:40,880 and then anyone could read it and um 789 00:27:38,960 --> 00:27:42,880 that combined with fact that the 790 00:27:40,880 --> 00:27:44,720 password wasn't a 791 00:27:42,880 --> 00:27:46,559 um if you were to guess one for a 792 00:27:44,720 --> 00:27:48,000 machine uh 793 00:27:46,559 --> 00:27:50,480 i was a bit of a fan of sushi at the 794 00:27:48,000 --> 00:27:53,279 time so i've named the made the 795 00:27:50,480 --> 00:27:55,679 the administrative password raw fish 796 00:27:53,279 --> 00:27:58,320 and so two people uh emailed me that 797 00:27:55,679 --> 00:28:01,120 password within uh a couple of days of 798 00:27:58,320 --> 00:28:03,279 premium machine online which was um 799 00:28:01,120 --> 00:28:05,440 amusing 800 00:28:03,279 --> 00:28:08,240 um 801 00:28:05,440 --> 00:28:09,760 one thing that uh this that incident 802 00:28:08,240 --> 00:28:12,080 maybe think about is the fact that 803 00:28:09,760 --> 00:28:13,840 software design reflects the aims and 804 00:28:12,080 --> 00:28:15,120 thoughts of programmers 805 00:28:13,840 --> 00:28:17,600 and 806 00:28:15,120 --> 00:28:19,360 in this case the nsa people who did the 807 00:28:17,600 --> 00:28:22,399 who did pre-order all policy for the 808 00:28:19,360 --> 00:28:25,440 first uh releases of s linux 809 00:28:22,399 --> 00:28:25,440 their aim was not 810 00:28:26,159 --> 00:28:32,320 reproducing next controls of unix 811 00:28:28,799 --> 00:28:33,679 permissions their aim was to uh isolate 812 00:28:32,320 --> 00:28:35,679 uh users 813 00:28:33,679 --> 00:28:37,440 uh after they've been authenticated uh 814 00:28:35,679 --> 00:28:39,919 by using submissions 815 00:28:37,440 --> 00:28:41,520 and so pressing the shadow password file 816 00:28:39,919 --> 00:28:42,640 wasn't really an issue for them they was 817 00:28:41,520 --> 00:28:45,360 going 818 00:28:42,640 --> 00:28:47,520 assumed that um that would be dealt with 819 00:28:45,360 --> 00:28:50,159 by uh used commissions 820 00:28:47,520 --> 00:28:53,760 and so i was running running a roof as 821 00:28:50,159 --> 00:28:56,320 the guest account uh was very different 822 00:28:53,760 --> 00:28:58,159 from what they were planning so 823 00:28:56,320 --> 00:29:00,480 it didn't work so well but on the other 824 00:28:58,159 --> 00:29:01,760 hand there are a lot of demons that 825 00:29:00,480 --> 00:29:03,279 run this route 826 00:29:01,760 --> 00:29:05,760 and um 827 00:29:03,279 --> 00:29:08,080 we don't want those to be able to uh 828 00:29:05,760 --> 00:29:10,640 access the shadow file it's a fairly 829 00:29:08,080 --> 00:29:12,399 standard thing for a demon if compromise 830 00:29:10,640 --> 00:29:13,200 is root so you try and read the shadow 831 00:29:12,399 --> 00:29:14,480 file 832 00:29:13,200 --> 00:29:16,000 so this is a change that needs to be 833 00:29:14,480 --> 00:29:17,840 made and it was made it would have been 834 00:29:16,000 --> 00:29:20,159 made sooner or later and it was made 835 00:29:17,840 --> 00:29:21,360 sooner because uh i had some people 836 00:29:20,159 --> 00:29:24,240 email me the 837 00:29:21,360 --> 00:29:24,240 administrative password 838 00:29:24,399 --> 00:29:28,399 so another problem found with the bias 839 00:29:26,159 --> 00:29:29,760 configuration i found with the estimates 840 00:29:28,399 --> 00:29:32,960 uh confession initially was that the 841 00:29:29,760 --> 00:29:35,760 bias definition devices were uh 842 00:29:32,960 --> 00:29:36,559 world-writable with no special labels 843 00:29:35,760 --> 00:29:38,320 so 844 00:29:36,559 --> 00:29:39,360 i was running a machine that 845 00:29:38,320 --> 00:29:42,399 had 846 00:29:39,360 --> 00:29:45,520 devices for rewriting the bios 847 00:29:42,399 --> 00:29:47,520 which was uh in eprom i believe 848 00:29:45,520 --> 00:29:49,360 and um 849 00:29:47,520 --> 00:29:50,240 i was informed about this after someone 850 00:29:49,360 --> 00:29:52,720 had 851 00:29:50,240 --> 00:29:54,480 written random data to us 852 00:29:52,720 --> 00:29:55,520 so uh 853 00:29:54,480 --> 00:29:56,640 i was 854 00:29:55,520 --> 00:29:58,000 unsure whether the machine would have a 855 00:29:56,640 --> 00:30:00,399 boost again but it turned out it did 856 00:29:58,000 --> 00:30:03,279 boot so that was uh nice 857 00:30:00,399 --> 00:30:05,600 and something to check for future uh 858 00:30:03,279 --> 00:30:07,760 security systems 859 00:30:05,600 --> 00:30:08,640 another interesting uh lesson learned 860 00:30:07,760 --> 00:30:10,080 from the 861 00:30:08,640 --> 00:30:11,039 play machines 862 00:30:10,080 --> 00:30:13,760 is 863 00:30:11,039 --> 00:30:14,960 when i was running one at fosdem it's a 864 00:30:13,760 --> 00:30:17,520 european 865 00:30:14,960 --> 00:30:19,919 free software conference 866 00:30:17,520 --> 00:30:20,880 on the debian stand there there was a 867 00:30:19,919 --> 00:30:25,039 debian 868 00:30:20,880 --> 00:30:27,760 machine running a old apple macintosh 869 00:30:25,039 --> 00:30:29,120 demonstrating debian on the m68k 870 00:30:27,760 --> 00:30:31,440 architecture 871 00:30:29,120 --> 00:30:33,360 and the demonstration ends up being 872 00:30:31,440 --> 00:30:35,520 demonstrating how well the machine can 873 00:30:33,360 --> 00:30:37,840 be at a ssh running state should be a 874 00:30:35,520 --> 00:30:39,760 terminal emulator to log into the play 875 00:30:37,840 --> 00:30:42,159 machine uh while one guy was spending a 876 00:30:39,760 --> 00:30:44,480 lot of time trying to compromise 877 00:30:42,159 --> 00:30:47,520 and he ended up winning 878 00:30:44,480 --> 00:30:50,399 he discovered that the crontab program 879 00:30:47,520 --> 00:30:51,760 uh launched the editor with uh excessive 880 00:30:50,399 --> 00:30:53,039 permissions 881 00:30:51,760 --> 00:30:55,520 and uh 882 00:30:53,039 --> 00:30:57,200 uh vi which is the default editor allows 883 00:30:55,520 --> 00:31:00,080 you to launch a shell so the shell will 884 00:30:57,200 --> 00:31:01,519 also have uh excess permissions and that 885 00:31:00,080 --> 00:31:03,919 he was able to access files you should 886 00:31:01,519 --> 00:31:05,679 get access and uh eventually gain your 887 00:31:03,919 --> 00:31:07,120 elevated privileges 888 00:31:05,679 --> 00:31:09,519 so i changed this women's policy 889 00:31:07,120 --> 00:31:12,399 immediately after that to um restrict 890 00:31:09,519 --> 00:31:13,919 the next of the quanto program 891 00:31:12,399 --> 00:31:16,080 but this is good it was uh something 892 00:31:13,919 --> 00:31:17,279 that hadn't been considered uh this is 893 00:31:16,080 --> 00:31:20,559 more secure 894 00:31:17,279 --> 00:31:22,320 and uh even uh non 895 00:31:20,559 --> 00:31:25,279 play machine configurations will be 896 00:31:22,320 --> 00:31:27,120 slightly more secure because this 897 00:31:25,279 --> 00:31:29,919 and nothing to to learn about this is 898 00:31:27,120 --> 00:31:32,159 that competition drives interest and 899 00:31:29,919 --> 00:31:33,919 this is uh 900 00:31:32,159 --> 00:31:35,679 the amount of effort that guy spent on 901 00:31:33,919 --> 00:31:37,039 testing the machine you couldn't pay 902 00:31:35,679 --> 00:31:38,880 someone to do that 903 00:31:37,039 --> 00:31:42,640 this is just he wanted to show off 904 00:31:38,880 --> 00:31:42,640 how skillful he was and he succeeded 905 00:31:42,880 --> 00:31:46,080 his friends then 906 00:31:44,640 --> 00:31:47,679 took a photo of the slides when i was 907 00:31:46,080 --> 00:31:51,519 giving a talk about linux mentioning 908 00:31:47,679 --> 00:31:53,039 that how he did it just to uh as his 909 00:31:51,519 --> 00:31:55,679 prize i guess 910 00:31:53,039 --> 00:31:58,080 so um yeah that uh worked out well for 911 00:31:55,679 --> 00:32:00,399 everyone uh i improved the policy we all 912 00:31:58,080 --> 00:32:04,000 learned about uh more about security in 913 00:32:00,399 --> 00:32:06,000 linux and that guy got the um honor of 914 00:32:04,000 --> 00:32:07,840 um 915 00:32:06,000 --> 00:32:10,159 finding a floor in essence policy was 916 00:32:07,840 --> 00:32:11,440 being used at the time 917 00:32:10,159 --> 00:32:13,360 and there also were a lot of people who 918 00:32:11,440 --> 00:32:14,880 thought that practice and people just 919 00:32:13,360 --> 00:32:17,440 didn't get concept 920 00:32:14,880 --> 00:32:19,440 uh one was a guy who was um wrote a 921 00:32:17,440 --> 00:32:21,279 script to just uh kill the shell of 922 00:32:19,440 --> 00:32:22,799 every other user who logged in on the 923 00:32:21,279 --> 00:32:24,880 guest account 924 00:32:22,799 --> 00:32:26,880 which isn't um cracking it this is a 925 00:32:24,880 --> 00:32:28,399 dial service attack and only worked 926 00:32:26,880 --> 00:32:30,320 against people with the same access as 927 00:32:28,399 --> 00:32:31,919 him which was the guest user 928 00:32:30,320 --> 00:32:33,440 and so of course i could log in and kill 929 00:32:31,919 --> 00:32:34,559 the scripts and 930 00:32:33,440 --> 00:32:35,840 didn't 931 00:32:34,559 --> 00:32:37,039 so that wasn't 932 00:32:35,840 --> 00:32:38,000 effective 933 00:32:37,039 --> 00:32:40,559 um 934 00:32:38,000 --> 00:32:42,559 also i noticed he was trying to 935 00:32:40,559 --> 00:32:44,240 forward exploring connections 936 00:32:42,559 --> 00:32:47,440 so i changed the stage connection to 937 00:32:44,240 --> 00:32:49,679 configuration to allow x11 forwarding 938 00:32:47,440 --> 00:32:51,279 and then uh ran the x logo program on 939 00:32:49,679 --> 00:32:52,720 the screen 940 00:32:51,279 --> 00:32:53,760 and uh 941 00:32:52,720 --> 00:32:55,519 he 942 00:32:53,760 --> 00:32:57,760 tried to deny it was there 943 00:32:55,519 --> 00:33:00,559 i said okay do you give me permission to 944 00:32:57,760 --> 00:33:02,720 uh read the keyboard 945 00:33:00,559 --> 00:33:04,799 of the person who has this x logo uh 946 00:33:02,720 --> 00:33:07,200 display on it on their screen with this 947 00:33:04,799 --> 00:33:10,559 person which is not you i guess 948 00:33:07,200 --> 00:33:12,720 and then he logged out midway 949 00:33:10,559 --> 00:33:15,360 which is amusing so anyway 950 00:33:12,720 --> 00:33:18,640 uh you need to be fairly combative to 951 00:33:15,360 --> 00:33:20,640 run a a challenge machine like that 952 00:33:18,640 --> 00:33:22,080 and 953 00:33:20,640 --> 00:33:25,200 because there was a lot of 954 00:33:22,080 --> 00:33:26,960 hostility uh the result from us 955 00:33:25,200 --> 00:33:29,600 and a lot of amusement 956 00:33:26,960 --> 00:33:31,440 and i think that for general um 957 00:33:29,600 --> 00:33:35,919 uh computer security staff uh that sort 958 00:33:31,440 --> 00:33:38,480 of attitude uh helps because um 959 00:33:35,919 --> 00:33:39,279 there are a lot of um crazy people out 960 00:33:38,480 --> 00:33:40,880 there 961 00:33:39,279 --> 00:33:43,120 and a lot of people want uh arguments 962 00:33:40,880 --> 00:33:46,720 and things 963 00:33:43,120 --> 00:33:46,720 but it's um also amusing 964 00:33:47,679 --> 00:33:50,399 um 965 00:33:48,640 --> 00:33:53,200 there are there have been a lot of 966 00:33:50,399 --> 00:33:55,360 conspiracy theories about the nsa 967 00:33:53,200 --> 00:33:58,640 none of them have 968 00:33:55,360 --> 00:34:01,120 any truth as far as i'm aware 969 00:33:58,640 --> 00:34:03,279 the nsa people 970 00:34:01,120 --> 00:34:06,720 smart programmers 971 00:34:03,279 --> 00:34:09,279 who are very studious um not very 972 00:34:06,720 --> 00:34:09,279 exciting 973 00:34:09,679 --> 00:34:14,560 yeah there's no 974 00:34:11,919 --> 00:34:16,639 james bond stuff happening or if it does 975 00:34:14,560 --> 00:34:18,399 it doesn't involve me 976 00:34:16,639 --> 00:34:19,359 but you know working on some interesting 977 00:34:18,399 --> 00:34:21,520 code 978 00:34:19,359 --> 00:34:24,639 hang out with people who 979 00:34:21,520 --> 00:34:26,320 know all about computer science 980 00:34:24,639 --> 00:34:28,079 and have interesting stories tell about 981 00:34:26,320 --> 00:34:30,720 other programming tasks 982 00:34:28,079 --> 00:34:33,679 so in terms of hanging out with skilled 983 00:34:30,720 --> 00:34:35,679 programmers and leading about computers 984 00:34:33,679 --> 00:34:38,720 s linux has been really great something 985 00:34:35,679 --> 00:34:41,040 i can highly recommend to other people 986 00:34:38,720 --> 00:34:42,399 if you're after james bond stuff 987 00:34:41,040 --> 00:34:45,200 i don't know what to do because it 988 00:34:42,399 --> 00:34:45,200 hasn't involved me 989 00:34:46,560 --> 00:34:50,320 about 10 years ago people stopped 990 00:34:47,760 --> 00:34:52,879 telling me about uh conspiracy theories 991 00:34:50,320 --> 00:34:55,119 which is um in a way a relief because 992 00:34:52,879 --> 00:34:58,480 it's just nothing to do with me 993 00:34:55,119 --> 00:35:00,320 but also um makes things less exciting 994 00:34:58,480 --> 00:35:01,599 i guess 995 00:35:00,320 --> 00:35:05,280 they probably still believe the kind of 996 00:35:01,599 --> 00:35:06,800 stuff but um doesn't involve me 997 00:35:05,280 --> 00:35:08,400 overall um 998 00:35:06,800 --> 00:35:09,359 working on s linux has been a great 999 00:35:08,400 --> 00:35:11,280 experience 1000 00:35:09,359 --> 00:35:12,240 my skills have increased a lot because 1001 00:35:11,280 --> 00:35:13,839 of it 1002 00:35:12,240 --> 00:35:15,440 a lot more than i 1003 00:35:13,839 --> 00:35:17,440 expected when i first 1004 00:35:15,440 --> 00:35:19,200 started on it 1005 00:35:17,440 --> 00:35:20,640 working on a big project whatever the 1006 00:35:19,200 --> 00:35:22,160 big project is 1007 00:35:20,640 --> 00:35:24,320 you will learn a lot 1008 00:35:22,160 --> 00:35:25,760 and 1009 00:35:24,320 --> 00:35:28,839 especially if you 1010 00:35:25,760 --> 00:35:31,920 end up in a sort of a lead role in it 1011 00:35:28,839 --> 00:35:34,560 um but even if you're not in one of the 1012 00:35:31,920 --> 00:35:37,359 league roles uh every for every project 1013 00:35:34,560 --> 00:35:39,040 there is a lot of things to learn and uh 1014 00:35:37,359 --> 00:35:41,520 you can just choose a project that fits 1015 00:35:39,040 --> 00:35:43,119 your skills interests and whatever you 1016 00:35:41,520 --> 00:35:44,960 just use yourself 1017 00:35:43,119 --> 00:35:48,000 and join us 1018 00:35:44,960 --> 00:35:49,839 you learn interesting things 1019 00:35:48,000 --> 00:35:51,520 have some fun 1020 00:35:49,839 --> 00:35:53,520 some parts are boring of course that's 1021 00:35:51,520 --> 00:35:55,359 the life 1022 00:35:53,520 --> 00:35:57,280 but generally it's a good experience and 1023 00:35:55,359 --> 00:36:00,800 then you can 1024 00:35:57,280 --> 00:36:02,079 go to lca and give talks about it 1025 00:36:00,800 --> 00:36:04,400 okay um 1026 00:36:02,079 --> 00:36:07,200 so i've pretty much covered my uh 1027 00:36:04,400 --> 00:36:08,960 material uh for now so should we go to 1028 00:36:07,200 --> 00:36:11,440 questions 1029 00:36:08,960 --> 00:36:12,720 yes hello uh thank you so much for your 1030 00:36:11,440 --> 00:36:14,240 talk that was really interesting to hear 1031 00:36:12,720 --> 00:36:16,480 that kind of history 1032 00:36:14,240 --> 00:36:18,160 um we've got one question but as a 1033 00:36:16,480 --> 00:36:19,599 reminder for people if you have more 1034 00:36:18,160 --> 00:36:21,839 questions chuck them in the questions 1035 00:36:19,599 --> 00:36:23,520 tab we are running on a delay so uh 1036 00:36:21,839 --> 00:36:25,599 getting them in earlier is better so 1037 00:36:23,520 --> 00:36:26,400 that we can actually see them 1038 00:36:25,599 --> 00:36:28,400 um 1039 00:36:26,400 --> 00:36:30,160 that was really cool 1040 00:36:28,400 --> 00:36:31,839 the first question we have is have you 1041 00:36:30,160 --> 00:36:34,960 been involved in any seo linux 1042 00:36:31,839 --> 00:36:37,680 applications for containers 1043 00:36:34,960 --> 00:36:39,040 um no um 1044 00:36:37,680 --> 00:36:40,480 the containers things are supposed to be 1045 00:36:39,040 --> 00:36:45,119 been done by red hat i think and that 1046 00:36:40,480 --> 00:36:48,160 hasn't involved me um i was um 1047 00:36:45,119 --> 00:36:50,960 one thing i did was i gave a paper for 1048 00:36:48,160 --> 00:36:52,560 uh auto link symposium about 1049 00:36:50,960 --> 00:36:55,280 running selinux on 1050 00:36:52,560 --> 00:36:57,520 small devices so i initially got s linux 1051 00:36:55,280 --> 00:37:00,560 working on the media operating system 1052 00:36:57,520 --> 00:37:01,680 for the ipac and the ipac had something 1053 00:37:00,560 --> 00:37:03,839 like 1054 00:37:01,680 --> 00:37:07,440 16 1055 00:37:03,839 --> 00:37:08,960 megabytes of storage and 64 megabytes of 1056 00:37:07,440 --> 00:37:11,119 ram or maybe the other way around i 1057 00:37:08,960 --> 00:37:13,599 can't remember i've got a paper on my uh 1058 00:37:11,119 --> 00:37:16,000 website that gives all the details but 1059 00:37:13,599 --> 00:37:18,160 anyway each kilobyte counted and so 1060 00:37:16,000 --> 00:37:19,200 we're going to paper about uh you know 1061 00:37:18,160 --> 00:37:20,960 how to 1062 00:37:19,200 --> 00:37:24,400 get these things smaller 1063 00:37:20,960 --> 00:37:26,079 having uh four kilobyte uh programs so i 1064 00:37:24,400 --> 00:37:27,680 didn't have to have an extra block of 1065 00:37:26,079 --> 00:37:28,880 disk space used for 1066 00:37:27,680 --> 00:37:30,960 the different things 1067 00:37:28,880 --> 00:37:32,880 and uh demonstrating that uh in that 1068 00:37:30,960 --> 00:37:34,240 constrained environment easy linux was 1069 00:37:32,880 --> 00:37:36,400 definitely viable 1070 00:37:34,240 --> 00:37:38,000 and uh describing the things needed to 1071 00:37:36,400 --> 00:37:40,880 be done to get it working 1072 00:37:38,000 --> 00:37:42,400 and uh this ends up as uh i don't think 1073 00:37:40,880 --> 00:37:44,880 uh my code was copy but i think it ended 1074 00:37:42,400 --> 00:37:47,200 up as being inspiration for the uh 1075 00:37:44,880 --> 00:37:50,160 android s linux stuff because the first 1076 00:37:47,200 --> 00:37:53,599 android devices were like um 1077 00:37:50,160 --> 00:37:56,480 256 meg of ram and um about 1078 00:37:53,599 --> 00:37:57,760 512 megs of storage or something and at 1079 00:37:56,480 --> 00:37:59,520 the time that easy linux was done in 1080 00:37:57,760 --> 00:38:00,480 android i think was up to about a gig of 1081 00:37:59,520 --> 00:38:03,599 ram 1082 00:38:00,480 --> 00:38:04,960 so it was way way bigger than the ipac 1083 00:38:03,599 --> 00:38:06,400 so having demonstrator that works on 1084 00:38:04,960 --> 00:38:08,640 ipac means that 1085 00:38:06,400 --> 00:38:10,400 obviously s linux and android was not 1086 00:38:08,640 --> 00:38:11,760 gonna be a problem at all and so i 1087 00:38:10,400 --> 00:38:13,760 believe that pretty much all android 1088 00:38:11,760 --> 00:38:15,200 devices now using se linux so that's 1089 00:38:13,760 --> 00:38:17,359 great uh makes a little bit harder for 1090 00:38:15,200 --> 00:38:19,119 pool tacos because those machines are in 1091 00:38:17,359 --> 00:38:20,960 hostile environments and 1092 00:38:19,119 --> 00:38:23,040 often don't get updates 1093 00:38:20,960 --> 00:38:24,480 so we've got ongoing problems with 1094 00:38:23,040 --> 00:38:26,160 android device being essentially 1095 00:38:24,480 --> 00:38:28,480 abandoned by the manufacturers about a 1096 00:38:26,160 --> 00:38:31,040 year after they're manufactured mostly 1097 00:38:28,480 --> 00:38:32,400 so um it's nice that s linux will make 1098 00:38:31,040 --> 00:38:35,440 it a little bit harder for 1099 00:38:32,400 --> 00:38:37,760 households parties to attack them 1100 00:38:35,440 --> 00:38:39,359 that's so cool 1101 00:38:37,760 --> 00:38:41,280 um 1102 00:38:39,359 --> 00:38:43,520 oh we have two more questions uh we've 1103 00:38:41,280 --> 00:38:45,440 got first one is what are your thoughts 1104 00:38:43,520 --> 00:38:47,040 on binary policy and distros and 1105 00:38:45,440 --> 00:38:49,599 associated issues 1106 00:38:47,040 --> 00:38:51,760 like issues updating policy when setting 1107 00:38:49,599 --> 00:38:53,440 persistent balls if there's a gitlab 1108 00:38:51,760 --> 00:38:54,800 issue tracker 1109 00:38:53,440 --> 00:38:57,520 to stop people shooting themselves in 1110 00:38:54,800 --> 00:39:00,839 the foot should these districts at least 1111 00:38:57,520 --> 00:39:00,839 be disabled 1112 00:39:00,960 --> 00:39:04,640 okay um 1113 00:39:02,960 --> 00:39:08,560 i can copy this into chat if you want 1114 00:39:04,640 --> 00:39:08,560 it's a long one yes that'd be good um 1115 00:39:10,560 --> 00:39:15,839 okay if a persistent ball is set then an 1116 00:39:13,200 --> 00:39:17,599 update to policy i think 1117 00:39:15,839 --> 00:39:19,119 should um 1118 00:39:17,599 --> 00:39:19,920 not change that 1119 00:39:19,119 --> 00:39:22,320 and 1120 00:39:19,920 --> 00:39:24,880 but this is 1121 00:39:22,320 --> 00:39:27,119 just a regular um 1122 00:39:24,880 --> 00:39:29,200 operating system bug 1123 00:39:27,119 --> 00:39:31,040 if it doesn't if the bug 1124 00:39:29,200 --> 00:39:32,720 uh if it doesn't do that already then it 1125 00:39:31,040 --> 00:39:35,520 should do that um it could be an 1126 00:39:32,720 --> 00:39:38,720 upstream bug um 1127 00:39:35,520 --> 00:39:40,560 yeah um i don't think uh my thoughts are 1128 00:39:38,720 --> 00:39:42,160 actually really relevant on that issue 1129 00:39:40,560 --> 00:39:44,800 of you know the way you expect 1130 00:39:42,160 --> 00:39:46,960 distribution to work is that you make a 1131 00:39:44,800 --> 00:39:49,200 setting and the setting remains 1132 00:39:46,960 --> 00:39:49,200 and 1133 00:39:49,680 --> 00:39:53,280 code should be changed to make it happen 1134 00:39:55,040 --> 00:39:59,920 yeah i realized i misread that so that 1135 00:39:56,480 --> 00:40:01,680 made sense why you were confused um 1136 00:39:59,920 --> 00:40:02,720 uh the second one's also quite long 1137 00:40:01,680 --> 00:40:04,079 we've got 1138 00:40:02,720 --> 00:40:06,400 what are your thoughts on divergence of 1139 00:40:04,079 --> 00:40:08,800 distro policies and the rift policies 1140 00:40:06,400 --> 00:40:10,560 and issues thereof is there a solution 1141 00:40:08,800 --> 00:40:12,400 some policies are overly permissive and 1142 00:40:10,560 --> 00:40:14,319 with no deny rule there's no way to 1143 00:40:12,400 --> 00:40:17,359 override but the work to generate one's 1144 00:40:14,319 --> 00:40:19,119 own policy for the district is large 1145 00:40:17,359 --> 00:40:22,079 yeah okay so 1146 00:40:19,119 --> 00:40:24,319 the two main policies that i'm aware of 1147 00:40:22,079 --> 00:40:26,160 are the 1148 00:40:24,319 --> 00:40:29,200 reference policy which is the upstream 1149 00:40:26,160 --> 00:40:30,319 one managed by theresa's and uh the red 1150 00:40:29,200 --> 00:40:32,480 hat one 1151 00:40:30,319 --> 00:40:34,560 and we have one uh diverges a bit they 1152 00:40:32,480 --> 00:40:35,760 have some different names for the 1153 00:40:34,560 --> 00:40:39,839 interfaces 1154 00:40:35,760 --> 00:40:39,839 an interface in policy is 1155 00:40:39,920 --> 00:40:43,119 vaguely comparable to a function called 1156 00:40:41,839 --> 00:40:44,720 a programming language 1157 00:40:43,119 --> 00:40:46,960 except that the difference is uh it's 1158 00:40:44,720 --> 00:40:49,760 not a function it's just a 1159 00:40:46,960 --> 00:40:51,839 set of rules being hooked in 1160 00:40:49,760 --> 00:40:53,119 and yeah i think this should be uh less 1161 00:40:51,839 --> 00:40:56,319 divergence 1162 00:40:53,119 --> 00:40:58,720 um now in terms of the no deny rule um 1163 00:40:56,319 --> 00:41:01,119 the way uh s linux works is its uh 1164 00:40:58,720 --> 00:41:04,160 defaults not everything sorry that's not 1165 00:41:01,119 --> 00:41:07,520 permission is denied and so if you have 1166 00:41:04,160 --> 00:41:10,000 a policy distribution which 1167 00:41:07,520 --> 00:41:13,200 is excessively received then 1168 00:41:10,000 --> 00:41:13,200 that makes it very hard for you 1169 00:41:14,960 --> 00:41:19,280 there have been a number of changes over 1170 00:41:17,119 --> 00:41:20,560 the years one thing that's worth 1171 00:41:19,280 --> 00:41:22,960 thinking about is 1172 00:41:20,560 --> 00:41:26,160 when essay links was first released you 1173 00:41:22,960 --> 00:41:27,839 had two roles for these logins sysadam 1174 00:41:26,160 --> 00:41:29,440 and user which have 1175 00:41:27,839 --> 00:41:31,119 obvious meanings 1176 00:41:29,440 --> 00:41:31,920 and then one of the first things i did 1177 00:41:31,119 --> 00:41:34,000 was 1178 00:41:31,920 --> 00:41:35,040 wrote macros because a time all policies 1179 00:41:34,000 --> 00:41:36,400 macros 1180 00:41:35,040 --> 00:41:38,880 to allow 1181 00:41:36,400 --> 00:41:40,319 an arbitrary number of other roles 1182 00:41:38,880 --> 00:41:42,000 and so 1183 00:41:40,319 --> 00:41:44,720 this was initially done when i had a 1184 00:41:42,000 --> 00:41:46,160 play machine running on debian stand at 1185 00:41:44,720 --> 00:41:48,079 a conference 1186 00:41:46,160 --> 00:41:49,440 and someone asked me through password 1187 00:41:48,079 --> 00:41:52,319 and i told them 1188 00:41:49,440 --> 00:41:54,560 and i didn't realize that uh he wanted 1189 00:41:52,319 --> 00:41:57,200 he he asked root password so he could uh 1190 00:41:54,560 --> 00:41:58,880 store his important files uh under an 1191 00:41:57,200 --> 00:42:00,560 account where no one would mess with him 1192 00:41:58,880 --> 00:42:03,200 which he thought would be root 1193 00:42:00,560 --> 00:42:06,160 uh and didn't realize uh i would be 1194 00:42:03,200 --> 00:42:08,480 telling people to um tie typing r minus 1195 00:42:06,160 --> 00:42:09,520 rf as root and observe that nothing bad 1196 00:42:08,480 --> 00:42:11,440 happens 1197 00:42:09,520 --> 00:42:12,880 so his files all went away and he wasn't 1198 00:42:11,440 --> 00:42:14,720 that happy about it 1199 00:42:12,880 --> 00:42:16,079 um 1200 00:42:14,720 --> 00:42:17,760 in retrospect he should have just 1201 00:42:16,079 --> 00:42:19,760 mentioned what he was aiming and anyway 1202 00:42:17,760 --> 00:42:21,599 so i then uh create a policy which 1203 00:42:19,760 --> 00:42:23,680 allowed an arbitrary number of roles and 1204 00:42:21,599 --> 00:42:25,839 had that running for a while um 1205 00:42:23,680 --> 00:42:26,640 but the um 1206 00:42:25,839 --> 00:42:29,200 the 1207 00:42:26,640 --> 00:42:32,000 policy aim of having different user 1208 00:42:29,200 --> 00:42:33,440 roles became increasingly difficult to 1209 00:42:32,000 --> 00:42:34,640 manage as 1210 00:42:33,440 --> 00:42:37,280 the 1211 00:42:34,640 --> 00:42:38,400 login systems became more complex and 1212 00:42:37,280 --> 00:42:41,119 the demand 1213 00:42:38,400 --> 00:42:43,680 became greater so it used to be that you 1214 00:42:41,119 --> 00:42:44,880 just log in and you would just uh have a 1215 00:42:43,680 --> 00:42:46,480 fairly 1216 00:42:44,880 --> 00:42:48,000 you know program running with a manager 1217 00:42:46,480 --> 00:42:50,800 you'd have some externs and things i 1218 00:42:48,000 --> 00:42:54,560 mean one other stuff now you've got um 1219 00:42:50,800 --> 00:42:56,240 you log in you've got a uh gpg agent run 1220 00:42:54,560 --> 00:42:58,240 by your distribution when you log in 1221 00:42:56,240 --> 00:43:01,760 you've got maybe an ssh agent uh in the 1222 00:42:58,240 --> 00:43:04,400 background you've got um the pulse audio 1223 00:43:01,760 --> 00:43:06,000 daemon running audio in the background 1224 00:43:04,400 --> 00:43:07,839 and all these things have been managed 1225 00:43:06,000 --> 00:43:10,800 and it comes very hard to do 1226 00:43:07,839 --> 00:43:13,760 and also uh providing uh probably not a 1227 00:43:10,800 --> 00:43:15,599 lot of benefit so um what most people 1228 00:43:13,760 --> 00:43:17,839 are doing now is running uh the used 1229 00:43:15,599 --> 00:43:19,119 login sessions in the unconfined uh 1230 00:43:17,839 --> 00:43:21,680 domain 1231 00:43:19,119 --> 00:43:22,720 and uh that's very impressive and might 1232 00:43:21,680 --> 00:43:24,319 be what the 1233 00:43:22,720 --> 00:43:26,000 original person asked that question was 1234 00:43:24,319 --> 00:43:28,000 referring to 1235 00:43:26,000 --> 00:43:30,640 in that case you can change your 1236 00:43:28,000 --> 00:43:31,520 configuration to have your user login as 1237 00:43:30,640 --> 00:43:33,440 uh 1238 00:43:31,520 --> 00:43:35,599 the user runs for you 1239 00:43:33,440 --> 00:43:37,359 identity 1240 00:43:35,599 --> 00:43:38,839 and that means that probably some things 1241 00:43:37,359 --> 00:43:40,720 you want to do won't be 1242 00:43:38,839 --> 00:43:42,560 allowed and 1243 00:43:40,720 --> 00:43:43,520 it's just a very difficult problem to 1244 00:43:42,560 --> 00:43:45,280 solve 1245 00:43:43,520 --> 00:43:47,920 given that you have people who want to 1246 00:43:45,280 --> 00:43:49,760 do all manner of things on the user 1247 00:43:47,920 --> 00:43:53,440 account versus people who would have 1248 00:43:49,760 --> 00:43:54,480 certain things restricted or isolated 1249 00:43:53,440 --> 00:43:56,240 and 1250 00:43:54,480 --> 00:43:57,520 there's no 1251 00:43:56,240 --> 00:43:58,640 one good solution that's going to solve 1252 00:43:57,520 --> 00:43:59,440 these problems 1253 00:43:58,640 --> 00:44:01,280 um 1254 00:43:59,440 --> 00:44:03,200 one thing with 1255 00:44:01,280 --> 00:44:06,400 android having i believe android has a 1256 00:44:03,200 --> 00:44:09,280 separate unix uid for each application 1257 00:44:06,400 --> 00:44:11,359 and that sort of approach uh can give 1258 00:44:09,280 --> 00:44:13,440 real benefits without uh going down this 1259 00:44:11,359 --> 00:44:15,839 path 1260 00:44:13,440 --> 00:44:18,480 and so maybe we should be considering 1261 00:44:15,839 --> 00:44:21,440 other ways of uh running regular user 1262 00:44:18,480 --> 00:44:23,359 stuff uh on unix sub sessions 1263 00:44:21,440 --> 00:44:25,359 there has been talk of 1264 00:44:23,359 --> 00:44:26,960 i think it was a talk at a previous lca 1265 00:44:25,359 --> 00:44:27,839 about 1266 00:44:26,960 --> 00:44:29,520 using 1267 00:44:27,839 --> 00:44:30,480 systems like docker for 1268 00:44:29,520 --> 00:44:32,880 running 1269 00:44:30,480 --> 00:44:34,640 various desktop apps under a user 1270 00:44:32,880 --> 00:44:36,880 session and that sort of thing can 1271 00:44:34,640 --> 00:44:40,160 provide some real benefits i think 1272 00:44:36,880 --> 00:44:40,960 and without making it too hard to manage 1273 00:44:40,160 --> 00:44:42,960 and 1274 00:44:40,960 --> 00:44:44,640 also another approach is that the tales 1275 00:44:42,960 --> 00:44:47,359 approach of having 1276 00:44:44,640 --> 00:44:49,359 separate sessions for every program 1277 00:44:47,359 --> 00:44:51,440 that also is in its own way very 1278 00:44:49,359 --> 00:44:52,800 difficult to use 1279 00:44:51,440 --> 00:44:54,800 um 1280 00:44:52,800 --> 00:44:55,680 the problem the problem with security is 1281 00:44:54,800 --> 00:44:58,000 always 1282 00:44:55,680 --> 00:45:00,160 balancing out with usability and if you 1283 00:44:58,000 --> 00:45:01,599 say uh i want to do everything possible 1284 00:45:00,160 --> 00:45:04,160 and also have 1285 00:45:01,599 --> 00:45:06,079 everything secure that's probably not a 1286 00:45:04,160 --> 00:45:07,680 truthful goal 1287 00:45:06,079 --> 00:45:09,280 i'm gonna cut into this i feel like you 1288 00:45:07,680 --> 00:45:10,319 have an entire different entire another 1289 00:45:09,280 --> 00:45:11,280 talk here 1290 00:45:10,319 --> 00:45:14,640 uh 1291 00:45:11,280 --> 00:45:16,880 i only talked three hours literally 1292 00:45:14,640 --> 00:45:19,599 uh this is a really good conversation 1293 00:45:16,880 --> 00:45:20,319 thank you so much for this um we do have 1294 00:45:19,599 --> 00:45:22,000 a 1295 00:45:20,319 --> 00:45:24,000 couple more questions including a 1296 00:45:22,000 --> 00:45:26,400 conspiracy theory uh question that i 1297 00:45:24,000 --> 00:45:28,160 will drop into the post talk uh 1298 00:45:26,400 --> 00:45:30,240 chat kiara 1299 00:45:28,160 --> 00:45:33,280 kia ora theater 1300 00:45:30,240 --> 00:45:34,560 i said that very wrong um 1301 00:45:33,280 --> 00:45:36,560 yeah thank you so much for talking with 1302 00:45:34,560 --> 00:45:38,000 us today 1303 00:45:36,560 --> 00:45:40,400 thank you 1304 00:45:38,000 --> 00:45:42,240 our next talk is visualizing and tracing 1305 00:45:40,400 --> 00:45:44,240 requests through a cluster integrating 1306 00:45:42,240 --> 00:45:45,680 open tracing into openstack swift with 1307 00:45:44,240 --> 00:45:47,359 matthew oliver 1308 00:45:45,680 --> 00:45:51,560 and that's a 225 1309 00:45:47,359 --> 00:45:51,560 att so in like 10 minutes