Kernel Log: Coming in 2.6.36 (Part 3) - Architecture & Infrastructure
by Thorsten Leemhuis
AppArmor, entry points for on-access virus scanners, a rewritten Out-of-Memory (OOM) killer, as well as basic support of Xen-Dom0 code, are among the most important advancements of version 2.6.36 of the Linux kernel. Due to various restructuring measures, this version will be slightly smaller than the previous version despite several hundred thousand new lines of code.
In the early hours of Wednesday, Linus Torvalds issued the sixth pre-release version of Linux 2.6.36. Torvalds indicated that he plans to release the final new version 2.6.36 soon, but that there may still be another release candidate before that.
The Kernel Log takes the release of RC6 as an opportunity to continue its "Coming in 2.6.36" mini series and describe the advancements in the infrastructure area, for instance in terms of the build system, memory management and the support of various CPU and system architectures. Part 1 of the series described the changes in the graphics hardware area; Part 2 discussed file systems as well as the infrastructure and drivers for storage and network hardware; Part 4 discussing the changes in terms of ACPI, PCI, power management and drivers for such technologies as USB, FireWire, V4L / DVB etc will conclude our mini series.
Having for several years tried to integrate the kernel code of their security extension, the developers of AppArmor, which was made available to the open source community by Novell in 2006, have finally managed to incorporate their extension into kernel version 2.6.36 (for instance 1, 2, 3, documentation). Similar to SELinux, AppArmor can restrict applications to a set variety of actions; as a result, attackers who obtain system access, for instance, through a security hole in the server software, can only do limited damage. AppArmor is said to be easier than SELinux in terms of administration. SELinux is Red Hat's preferred choice and is used, for instance, in Red Hat Enterprise Linux (RHEL) and in Fedora. Novell had long focused on AppArmor but gave up its own AppArmor development unit in 2007 and started using SELinux in 2008. This considerably slowed down the development of AppArmor until John Johansen created new momentum in early 2010 and eventually pressed ahead with getting the extension integrated into the official kernel. Johansen used to work for Novell and is currently responsible for the integration of AppArmor into Ubuntu at Canonical.
Numerous attempts over several years were also made by the TALPA-based Fanotify before Torvalds integrated it in the forthcoming version (for instance 1, 2, 3). It is based on Fsnotify, which was integrated and adapted in 2.6.31, and offers entry points which allow, for example, the integration of virus scanners that check accessed files for malicious software before delivering their content ("on-access scan"). Various functional details about Fanotify as well as the problems with previous versions of Fanotify can be found in several articles on LWN.net (for instance 1, 2, 3).
Update - Just days before completion of Linux 2.6.36, the developers deactivated the fanotify user-space interface after a few issues that may have, to some extent, affected the ABI in future were discovered (1, 2, 3). This means that, for now, fanotify is not usable. The developers are correcting the errors behind these issues and re-activate the user-space interfaces for Linux 2.6.37; it is unclear if the patches will be applied to the stable 2.6.36 kernel series.
Memory and thread management
The kernel developers have considerably changed and largely rewritten the Out-of-Memory (OOM) killer that shuts down processes during memory shortages so a system can continue to function (1, 2, 3). Due to these changes, fine-tuning OOM via /proc/<pid>/oom_adj is now marked as "deprecated" and set to be removed in August 2012. Further background information about the OOM changes can be found in the article "Another OOM killer rewrite" on LWN.net.
The kernel hackers have also integrated "Concurrency Managed Workqueues" to optimise the handling of kernel threads (for instance 1, documentation). This technology is designed to make the kernel more efficient in terms of resources, enhance scaling and reduce the number of kernel threads on many systems – the latter will be noted by users as it also reduces the list of kernel threads returned by "ps -A". The developer describes further advantages and his reasons for making the changes in a detailed companion email sent with his patches and in the information given in the Git-Pull request; last autumn, LWN.net published an article about Concurrency Managed Workqueues.