Linux

If you love exploit mitigations, you may have heard of a new system call named mseal landing into the Linux kernel’s 6.10 release, providing a protection called “memory sealing.” Beyond notes from the authors, very little information about this mitigation exists. In this blog post, we’ll explain what this syscall is, including how it’s different from prior memory protection schemes and how it works in the kernel to protect virtual memory. We’ll also describe the particular exploit scenarios that mseal helps stop in Linux userspace, such as stopping malicious permissions tampering and preventing memory unmapping attacks.

Memory sealing allows developers to make memory regions immutable from illicit modifications during program runtime. When a virtual memory address (VMA) range is sealed, an attacker with a code execution primitive cannot perform subsequent virtual memory operations to change the VMA’s permissions or modify how it is laid out for their benefit.

...

mseal digresses from prior memory protection schemes on Linux because it is a syscall tailored specifically for exploit mitigation against remote attackers seeking code execution rather than potentially local ones looking to exfiltrate sensitive secrets in-memory.

...

From the disallowed operations, we can discern two particular exploit scenarios that memory sealing will prevent:

• Tampering with a VMA’s permissions. Notably, not allowing executable permissions to be set can stop the revival of shellcode-based attacks.
• “Hole-punching” through arbitrary unmapping/remapping of a memory region, mitigating data-only exploits that take advantage of refilling memory regions with attacker-controlled data.

...

There are likely many other use cases and scenarios that we didn’t cover. After all, mseal is the newest kid on the block in the Linux kernel! As the glibc integration completes and matures, we expect to see improved iterations for the syscall to meet particular demands, including fleshing out the ultimate use of the flags parameter.

This started today and hasn’t happened before. Initially I thought it was an application from work that was causing issues. I SSHed into the machine and didn’t see anything strange - I used btop.

I updated the system and rebooted. A few minutes later when I got to the machine to check everything, was frozen again. I hadn’t even logged in.

I’ve used the eos-sendlog feature to get the logs and it seems like it might be GPU related.

I was using KDE with X11 when this happened, but I’ve been using that combination for months at this point. Nothing that I’m aware of has changed or been updated recently to possibly cause this issue.

Update: I’ve done a complete shutdown (turned the PSU off) and rebooted with the LTS kernel. So far so good. It doesn’t seem to be a hardware issue as it worked fine on the live USB.

This is probably the last version by me.

Features:

• Linux native
• time, 3BV/s and IOE high scores, including percentiles and non-flagging versions
• scores kept indefinitely for all played games
• recording and playing replays
• CSV export
• timing in milliseconds
• responsive on slow hardware
• adjustable square size
• to reveal squares around a numbered square with flagged adjacent mines you can click the square with any button
• no "?" marks
• pause

@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

This appears at least okay on the surface. The clients' dependency on sdk-internal didn't change but that's okay now because they have licensed sdk-internal as GPL.

The sdk-secrets will remain proprietary but that's a separate product (Secrets Manager) and will apparently not be used in the regular clients. Who knows for how long though because, if you read carefully, they didn't promise that it will not be used in the future.

The fact that they had ever intended to make parts of the client proprietary without telling anyone and attempted to subvert the GPL while doing so still remains utterly unacceptable. They didn't even attempt to apologise for that.

Bitwarden has now landed itself in the category of software that I would rather move away from and cannot wholeheartedly recommend anymore. That's pretty sad.

# here is where my aliases go yo

alias alias-edit="vim ~/.local/config/alias_config && source ~/.local/config/alias_config && echo 'Alias updated. \n'"


## Modern cli
alias ls="exa"
alias find="fdfind"

## System 76
alias battery-full="system76-power charge-thresholds --profile full_charge"
alias battery-balanced="system76-power charge-thresholds --profile balanced"
alias battery-maxhealth="system76-power charge-thresholds --profile max_lifespan"

## Maintenance
alias update-flatapt="sudo apt update && sudo apt upgrade -y && flatpak update --assumeyes"

## Misc
alias tree="exa --tree"

## Incus
alias devi-do="sudo incus exec dev0 -- su -l devi"

## Some programs
alias code="flatpak run com.visualstudio.code"
~                                                

I’m a teacher and our division just “upgraded” to W11 with a new version of outlook that is basically a web app on desktop. Several times a day my laptop comes to a complete crawl while Teams decides to open itself. Can’t open or close programs, Firefox won’t register mouse clicks, nothing. Graphical glitches appear al the time with menu bars and task bars disappearing regularly, requiring force quitting the app or logging out of the desktop.

When I first switched to Linux I assumed my experience would be like this. But now it’s the other way around.

Rant over.

Now I have more time to do actually important work, boo....

Today I noticed that after I first booted my computer, my motherboard's Bluetooth card wasn't detected. I need bluetooth to use my speakers because my soundcard doesn't have linux drivers(another problem for another day) so I went without sound today. But then when I restarted the computer to see if that would change anything regarding the Bluetooth, it,

a.) Didn't change anything about the Bluetooth driver, and B) now my 2.4g dongle doesn't work for me to connect my mouse(I can still use it wired though) and my wired keyboard doesn't work.

Both times I booted my noticed that systemd was shutting down udevd, which I have never noticed before. I know that udev is controls peripherals, so that is the most likely issue.

How would I go about fixing my computer?

Computer is running fedora 40 and has an MSI mpg B650 gaming edge wifi. I can send a hardware probe if necessary

Hello I switched to Linux a few months ago and one thing I liked doing in the past is run bench marks with 3dmark to compare my systems as time goes on with the changes I make.

I learned about phoronix test suite and it looks exactly like what I need but I'm having some trouble in finding a way to compare my systems to other people's similar setups.

So far I got something like

Monitor=cpu.usage,cpu.temp,gpu.usage,gpu.temp phoronix-test-suite benchmark unigine-heaven

But then I only see the tests that I run, does anyone know what test and the command to ve able to compare other people's systems on openbenchmarking.org

I know I see the little button that does it automatically but I don't want to use that I want to know how to do it correctly. -Problem is, every guide says to use the .asc file. I don't have that, tails gave me a .IMG file, a .SIG file, and then I downloaded a tails-signing.key file. How do I manually verify this file with just those files?

They're in their 60's, finally convinced them.

They say things like "This is the same..."

and I'm like

"Ya because that's Firefox, the only program you use..."

"What was Windows even doing for us?"

Some app launchers these days run each app in a new systemd scope, which puts the app process and any child processes into their own cgroup. For example I use rofi which does this, and I noticed that fuzzel does also. That is handy for tracking and cleaning up child processes!

You can see how processes are organized by running,

$ systemctl --user status

I think that's a quite useful way to see processes organized. Looking at it I noticed a couple of scopes that shouldn't still be running.

Just for fun I wanted to use this to try to script a better killall. For example if I run $ killscope slack I want the script to:

1. find processes with the name "slack"
2. find the names of the systemd scopes that own those processes (for example, app-niri-rofi-2594858.scope)
3. kill processes in each scope with a command like, systemctl --user stop app-niri-rofi-2594858.scope

Step 2 turned out to be harder than I liked. Does anyone know of an easy way to do this? Ideally I'd like a list of all scopes with information for all child processes in JSON or another machine-readable format.

systemctl --user status gives me all of the information I want, listing each scope with the command for each process under it. But it is not structured in an easily machine-readable format. Adding --output json does nothing.

systemd-cgls shows the same cgroup information that is shown in systemctl --user status. But again, I don't see an option for machine-readable output.

systemd-cgtop is interesting, bot not relevant.

Anyway, I got something working by falling back on the classic commands. ps can show the cgroup for each process:

$  ps x --format comm=,cgroup= | grep '^slack\b'
slack           0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-niri-rofi-2594858.scope
slack           0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-niri-rofi-2594858.scope
slack           0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-niri-rofi-2594858.scope
...

The last path element of the cgroup happens to be the scope name. That can be extracted with awk -F/ '{print $NF}' Then unique scope names can be fed to xargs. Here is a shell function that puts everything together:

function killscope() {
    local name="$1"
    ps x --format comm=,cgroup= \
        | grep "^$name\b" \
        | awk -F/ '{print $NF}' \
        | sort | uniq \
        | xargs -r systemctl --user stop
}

It could be better, and it might be a little dangerous. But it works!

[Solved] just had to create a new partition and then it lets me select FAT.

I'm not sure what happened, I remeber using gnome disks to do this before but it isn't working now now the only options I get are (MBR/DOS) or (GPT) and neither one will let me access the actual USB afterwards in anything other than GNOME disks. I can't use file explorer and add anything to it.

What is going on here? I swear this worked well before but now something has changed suddenly and I can't get it to work anymore.

When I restore a Debian disk image to the USB it will finally show up in the file explorer but I can't add anything to it and the only options I get to format it are those ones that won't let me access it in the file explorer and actually use the USB.

What am I doing wrong?

Official statement regarding recent Greg' commit 6e90b675cf942e from Serge Semin

Hello Linux-kernel community,

I am sure you have already heard the news caused by the recent Greg' commit 6e90b675cf942e ("MAINTAINERS: Remove some entries due to various compliance requirements."). As you may have noticed the change concerned some of the Ru-related developers removal from the list of the official kernel maintainers, including me.

The community members rightly noted that the quite short commit log contained very vague terms with no explicit change justification. No matter how hard I tried to get more details about the reason, alas the senior maintainer I was discussing the matter with haven't given an explanation to what compliance requirements that was. I won't cite the exact emails text since it was a private messaging, but the key words are "sanctions", "sorry", "nothing I can do", "talk to your (company) lawyer"... I can't say for all the guys affected by the change, but my work for the community has been purely volunteer for more than a year now (and less than half of it had been payable before that). For that reason I have no any (company) lawyer to talk to, and honestly after the way the patch has been merged in I don't really want to now. Silently, behind everyone's back, bypassing the standard patch-review process, with no affected developers/subsystem notified - it's indeed the worse way to do what has been done. No gratitude, no credits to the developers for all these years of the devoted work for the community. No matter the reason of the situation but haven't we deserved more than that? Adding to the GREDITS file at least, no?..

I can't believe the kernel senior maintainers didn't consider that the patch wouldn't go unnoticed, and the situation might get out of control with unpredictable results for the community, if not straight away then in the middle or long term perspective. I am sure there have been plenty ways to solve the problem less harmfully, but they decided to take the easiest path. Alas what's done is done. A bifurcation point slightly initiated a year ago has just been fully implemented. The reason of the situation is obviously in the political ground which in this case surely shatters a basement the community has been built on in the first place. If so then God knows what might be next (who else might be sanctioned...), but the implemented move clearly sends a bad signal to the Linux community new comers, to the already working volunteers and hobbyists like me.

Thus even if it was still possible for me to send patches or perform some reviews, after what has been done my motivation to do that as a volunteer has simply vanished. (I might be doing a commercial upstreaming in future though). But before saying goodbye I'd like to express my gratitude to all the community members I have been lucky to work with during all these years.