Improved Device Handling

Linux 2.6 has a number of new features for handling devices — especially hot plug devices such as the ones that connect to USB and Firewire interfaces common in today's PCs. First, the kernel uses a new virtual file system called sysfs that is meant to hold information about the devices on the system. The sysfs file system mounts on / sys and it presents a hierarchical view of all the devices organized by device type, bus, and so on.

Through sysfs, the 2.6 kernel makes available to other applications a lot of information about devices, including the name of a device, resources such as interrupts and I/O ports used by the device, the power status of the device, and so on.

Dynamic Device Files with udev

By using the sysfs capabilities available in the Linux 2.6 kernel, a separate device-handling program called udev can now dynamically add device files when the system boots as well as when a device is added to a system. The udev program is invoked by the /sbin/hotplug shell script that runs when any hot plug device such as a USB device is plugged into the computer. udev gives each device a name that stays the same every time that device connects to the system. Fedora Core uses udev to manage the device files in the / dev directory. Every time you boot your PC, the udev program runs and creates all the device files in the /dev directory.

Other device-handling improvements in Linux 2.6 include features which ensure that device driver modules are not unloaded while still in use and that standardize the way in which device drivers make available information about devices they support. All device driver module filenames now use the .ko extension — for kernel object—instead of the generic .o extension commonly used for object files.

Linux 2.6 also has improved support for many devices such as USB 2.0 and wireless devices. As for storage devices, the Integrated Drive Electronics (IDE) — also called AT Attachment (ATA) —and Small Computer System Interface (SCSI) support was updated in Linux 2.6. For example, IDE CD-recorders are now accessed through the IDE driver instead of a special SCSI-emulation driver that was used in earlier versions of the kernel. The 2.6 kernel also supports the new Serial ATA (SATA) interface that can support data transfer rates of 150MB per second.

For desktop users, an exciting new feature of Linux 2.6 is the new sound system called the Advanced Linux Sound Architecture (ALSA). ALSA includes modular drivers for many sound cards and supports systems with multiple sound cards. ALSA also has new capabilities such as support for audio and MIDI (Musical Instrument Digital Interface) devices that connect to the PC through the USB port. In addition to improved audio support, the 2.6 kernel also includes an upgraded Video4Linux (V4L) subsystem that supports television tuners and video cameras. Linux 2.6 also adds built-in support for Digital Video Broadcasting (DVB) hardware, which, with appropriate software, can be used to make a Linux-based video recording device.

Mandatory access control with Security Enhanced Linux

Linux kernel 2.6 includes the mandatory access control framework provided by Security Enhanced Linux (SELinux), which was developed by the National Security Agency (NSA), a U.S. government agency. SELinux is implemented as a Linux Security Module (LSM) —an extension of the Linux kernel that allows security mechanisms to be easily added to the kernel. You can find more about SELinux at the NSA's website, www.nsa.gov/selinux/.

Without SELinux, access control in Linux is based on the user and group ID that owns a process or a file. In this discretionary access control approach, the superuser (root) has absolute discretion to access and do anything on the system. In contrast to this approach, SELinux views the system in terms of subjects (users or processes) and objects (files,

devices, any system resources). Subjects can take on different roles such as normal user or system administrator. Each subject also has a domain and each object has a type. SELinux provides fine-grained control over who can access what in a Linux system by defining what domains can access what types and how one domain can transition into another when programs execute.

The mandatory access control rules are defined in the SELinux security policy. To support the fine-grained access control, all files need additional attributes called contexts that are stored in labels added to the files. Think of the contexts as information about which roles can access and do what with the file. When SELinux is enabled, all files in the file system have to be labeled with the security contexts. Only then can SELinux manage the finegrained access control.

When you install Fedora Core, you can select the level of access control you want SELinux to enforce. This option appears in the GUI installation screen where you configure the firewall.

SELinux can be very helpful in securing your organization's external Web and e-mail note servers that are exposed to the Internet and, therefore, subject to attacks. With a well-designed security policy, SELinux can make such Internet-facing servers resistant to damage from attacks, even if an attacker manages to gain superuser privileges. However, the additional effort involved in setting up and running SELinux may not be worthwhile for internal servers not directly connected to the Internet.

Was this article helpful?

0 0
Make Money Writing

Make Money Writing

This Report Will Show You How To Make Money By Providing Writing Services To Other Internet Marketers. Learn how to make money by writing the right way. Grab your copy of this report now and learn. Why writing is a great way to earn money. How to compete with cheap writers, even if you charge a lot more money.

Get My Free Ebook


Post a comment