Software Releases

Linux Software Releases, January 2015

In our connected world, the traditional UNIX privilege separation is not enough anymore. Security models are changing in order to provide a higher level of protection expected by users. We start with seccomp-bpf, a software techniques introduced in 2010 that seems to gain more and more popularity as networked applications grow and expand. After a short introduction and a look at some of the software packages using seccomp-bpf, we continue with the list of the projects released during January.

 

Contents:

 

Project of the Month: seccomp-bpf

seccomp-bpf is an application sandboxing mechanism in Linux kernel that allows filtering of system calls (syscalls) using a configurable policy implemented using Berkeley Packet Filter rules.

The Linux Kernel supports over 300 syscalls. To function normally, applications usually need only a small syscalls subset. Using seccomp-bpf kernel feature we can disable the unused syscalls for a particular application, thus limiting the attack surface of the kernel. It works like a tripwire. In case the application suddenly starts making unusual syscalls, the application is killed immediately.

seccomp-bpf was introduced in Linux kernel 3.5. It is compiled by default (CONFIG_SECCOMP_FILTER) on most Linux distributions. Application authors can use the API exposed by the kernel, or they can use an external library, libseccomp.

Applications already using seccomp-bpf

Most applications combine seccomp-bpf with other security techniques implemented in Linux kernel. Among them, chroot and Linux namespaces. This is a short list of programs using seccomp-bpf:

  • vsftpd – vsftpd FTP server was one of the first applications to use a whitelist seccomp to boost security. It also uses chroot and Linux namespaces.
     
  • sftp (OpenSSH) – sftp component of OpenSSH follows closely on the footsteps of vsftpd. It uses a whitelist seccomp filter on top of a chroot.
     
  • BIND – BIND is by far the most widely used DNS server software on the Internet. A whitelist seccomp filter was introduce in version 9.10.1.
     
  • Google Chrome/Chromium – Google was playing with sandboxes in Chromium browser long before seccomp-bpf was introduced in Linux kernel 3.5. It currently use an SUID sandbox to restrict the worker processes using PID and network namespaces and seccomp-bpf.
     
  • Opera Web Browser – Some time ago Opera browser internals have been switched to a fork of Google Chromium. The SUID sandbox, Linux namespaces and seccomp-bpf filters survived the porting, and are currently used by the browser.
     
  • QEMU – QEMU (Quick EMUlator) is a generic machine emulator and virtualizer. It is used often in conjunction with acceleration in the form of a Type-I hypervisor such as KVM or Xen. Recently, QEMU introduced seccomp-bpf support. This enables kernel filtering of system calls to prevent malicious guests from doing damage.
     
  • LXC – LXC is a generic sandbox for running containers. Unlike other sandboxes available, the focus is running full distro images, also known as system containers. It uses Linux namespaces, chroot and seccomp. By default the syscall list is empty, the user has to build her own list.
     
  • Firejail – Firejail is a generic sandbox used to add chroot, Linux namespaces and seccomp support to any server or desktop application. The main focus is running web browsers, such as Firefox and Chromium. The sandbox installs a default seccomp blacklist filter that disables a number of dangerous syscalls. The filter can be expanded by the user.
     

This is a very small list of programs. I only hope more and more developers will consider using these types of security technologies. Adding secoomp, chroot and Linux namespaces support to an existing application is easy. The heavy lifting is implemented in the Linux kernel, there are no external dependencies required. Most of the time all it takes is a small number of simple system calls.

More information:

 

Software

VOIP Monitor

VoIPmonitor is open source network packet sniffer with commercial frontend for SIP SKINNY RTP and RTCP VoIP protocols running on linux. VoIPmonitor is designed to analyze quality of VoIP call based on network parameters – delay variation and packet loss according to ITU-T G.107 E-model which predicts quality on MOS scale. Calls with all relevant statistics are saved to MySQL or ODBC database. Optionally each call can be saved to pcap file with either only SIP / SKINNY protocol or SIP/RTP/RTCP/T.38/udptl protocols. VoIPmonitor can also decode audio …(more)

Tags: networking

DrawPile

Drawpile is a networked drawing program that allows multiple people to sketch on the same image simultaneously. It is developed as a Free/Libre Open Source project and is available at no costThe goal of the project is to produce a simple, easy to use multiplatform collaboration tool. Drawpile supports the OpenRaster file format and thus works well with other Free painting applications such as MyPaint, Krita and GIMP …(more)

Tags: graphics networking

Scribus

Scribus is an Open Source program that brings professional page layout to Linux, BSD UNIX, Solaris, OpenIndiana, GNU/Hurd, Mac OS X, OS/2 Warp 4, eComStation, and Windows desktops with a combination of press-ready output and new approaches to page design …(more)

Tags: desktop

PMD

PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, XML, XSL. Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code in Java, C, C++, C#, PHP, Ruby, Fortran, JavaScript …(more)

Tags: programming

OpenNMS

OpenNMS is a free and open-source enterprise grade network monitoring and network management platform. The goal is for OpenNMS to be a truly distributed, scalable management application platform for all aspects of the FCAPS network management model while remaining 100% free and open source. Currently the focus is on Fault and Performance Management …(more)

Tags: networking monitoring

SuperTuxKart

SuperTuxKart is a Free 3d kart racing game. You can play with up to 4 friends on one PC, racing against each other or just try to beat the computer (a network multiplayer feature is planned). See the great lighthouse or drive through the sand and visit the pyramids. Race underground or in space, watching the stars passing by. Have some rest under the palms on the beach (watching the other karts overtaking you 🙂 ). But don’t eat the bananas! Watch for bowling balls, plungers, bubble gum and cakes thrown by opponents. You can do a single race against other karts, compete in one of several Grand Prix, try to beat the high score in time trials on your own, play battle mode against your friends, and more! …(more)

Tags: games desktop

Pale Moon

Pale Moon is an open source web browser based on Firefox, focusing on efficiency and ease of use, by leaving out unnecessary features and making optimizations, while maintaining compatibility with Firefox extensions and themes. Pale Moon provides a familiar set of controls and visual feedback similar to previous versions of Firefox, including grouped navigation buttons, a bookmarks toolbar that is enabled by default, tabs next to page content by default, and a functional status bar …(more)

Tags: desktop networking

Apache HTTP Server

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards …(more)

Tags: networking apache

GParted

GNOME Partition Editor is a graphical partition editor for creating, reorganizing, and deleting disk partitions. It uses libparted from the parted project to detect and manipulate partition tables. Optional file system tools permit managing file systems not included in libparted …(more)

Tags: desktop system

PeerGuardian

PeerGuardian is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge blocklists (thousands or millions of IP ranges). Its origin seeds in targeting aggressive IPs while you use P2P …(more)

Tags: networking

phpMyAdmin

phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL, MariaDB and Drizzle. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement …(more)

Tags: system monitoring

LibreOffice

LibreOffice is a free and open source office suite, developed by The Document Foundation. It was forked from OpenOffice.org in 2010, which was an open-sourced version of the earlier StarOffice. The LibreOffice suite comprises programs to do word processing, spreadsheets, slideshows, diagrams and drawings, maintain databases, and compose math formulae …(more)

Tags: desktop text-editor graphics

Wine

Wine is an Open Source implementation of the Windows API on top of X and Unix. Wine provides both a development toolkit for porting Windows sources to Unix and a program loader, allowing many unmodified Windows binaries to run on x86-based Unixes …(more)

Tags: desktop

Firefox

Mozilla Firefox (known simply as Firefox) is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android, by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. Firefox uses the Gecko layout engine to render web pages, which implements current and anticipated web standards …(more)

Tags: desktop networking

Apache Tomcat

Apache Tomcat (or simply Tomcat, formerly also Jakarta Tomcat) is an open source web server and servlet container developed by the Apache Software Foundation (ASF). Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a “pure Java” HTTP web server environment for Java code to run in. In the simplest config Tomcat runs in a single operating system process. The process runs a Java virtual machine (JVM). Every single HTTP request from a browser to Tomcat is processed in the Tomcat process in a separate thread …(more)

Tags: networking apache

OpenSSL

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. …(more)

Tags: networking

Firejail

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It includes a sandbox profile for Mozilla Firefox …(more)

Tags: console

Apache Cassandra

Apache Cassandra is an open source distributed database management system designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure. Cassandra offers robust support for clusters spanning multiple datacenters, with asynchronous masterless replication allowing low latency operations for all client …(more)

Tags: networking apache

Scintilla

Scintilla is a free source code editing component. As well as features found in standard text editing components, Scintilla includes features especially useful when editing and debugging source code. These include support for syntax styling, error indicators, code completion and call tips. The selection margin can contain markers like those used in debuggers to indicate breakpoints and the current line. Styling choices are more open than with many editors, allowing the use of proportional fonts, bold and italics, multiple foreground and background colours and multiple fonts …(more)

Tags: desktop text-editor programming

Lightweight Java Game Library

The Lightweight Java Game Library (LWJGL) is a solution aimed directly at professional and amateur Java programmers alike to enable commercial quality games to be written in Java. LWJGL provides developers access to high performance crossplatform libraries such as OpenGL (Open Graphics Library), OpenCL (Open Computing Language) and OpenAL (Open Audio Library) allowing for state of the art 3D games and 3D sound. Additionally LWJGL provides access to controllers such as Gamepads, Steering wheel and Joysticks. All in a simple and straight forward API …(more)

Tags: games programming

Inkscape

Inkscape is professional quality vector graphics software which runs on Windows, Mac OS X and Linux. It is used by design professionals and hobbyists worldwide, for creating a wide variety of graphics such as illustrations, icons, logos, diagrams, maps and web graphics. Inkscape uses the W3C open standard SVG (Scalable Vector Graphics) as its native format, and is free and open-source software …(more)

Tags: desktop graphics

ImageMagick

ImageMagick® is a software suite to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 100) including DPX, EXR, GIF, JPEG, JPEG-2000, PDF, PNG, Postscript, SVG, and TIFF. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bezier curves …(more)

Tags: graphics console

Apache Traffic Server

Apache Traffic Server software is a fast, scalable and extensible HTTP/1.1 compliant caching proxy server. Formerly a commercial product, Yahoo! donated it to the Apache Foundation, and it is now an Apache top level project …(more)

Tags: networking apache

Samba

Samba is a free software re-implementation of the SMB/CIFS networking protocol, originally developed by Andrew Tridgell. As of version 3, Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain Controller (PDC) or as a domain member. It can also be part of an Active Directory domain …(more)

Tags: networking

SWIG

SWIG is a software development tool that connects programs written in C and C++ with a variety of high-level programming languages. SWIG is used with different types of target languages including common scripting languages such as Javascript, Perl, PHP, Python, Tcl and Ruby …(more)

Tags: programming

DVDStyler

DVDStyler is a cross-platform free DVD authoring application for the creation of professional-looking DVDs. It allows not only burning of video files on DVD that can be played on standalone DVD player, but also creation of individually designed DVD menus …(more)

Tags: desktop sound-video

Wireshark

Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. Wireshark’s native capture file format is libpcap format, which is also the format used by tcpdump and various other tools …(more)

Tags: networking desktop

cppcheck

cppcheck is a static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect. The goal is to detect only real errors in the code (i.e. have zero false positives) …(more)

Tags: programming

 

Kernel

Linux Kernel

The kernel is the essential center of Linux operating system, the core that provides basic services for all other parts of the operating system. The kernel was written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance. …(more)

Tags: system

Linux Kernel Utils

Several user-space uitility programs developed on kernel.org, used to control the kernel …(more)

Tags: system

 

KDE

Oxygen

The Oxygen Project was created to give a visual refresh to KDE Plasma Workspaces. It consists of a set of computer icons, a window decoration for KWin, widget toolkit themes for GTK and Qt, two themes for Plasma Workspaces, and a TrueType font family …(more)

Tags: desktop KDE

Muon

The Muon Package Management Suite is a collection of several package management tools based on the QApt package management library for Debian-based systems …(more)

Tags: KDE

 

Gnome

Gnumeric

Gnumeric is a spreadsheet, a computer program used to manipulate and analyze numeric data. Gnumeric can help you keep track of information in lists, organize numeric values in columns and rows, perform and update complex calculations by defining each step of the calculation and modifying particular steps subsequently, create and display or print graphical plots of data using bar plots, line graphs, pie charts or radar charts, implement complex optimization modeling or perform many other tasks involving numbers, dates, times, names or other data …(more)

Tags: desktop Gnome

Music

Music is the new GNOME music playing application, a simple and elegant replacement for using Files to show the Music directory. …(more)

Tags: desktop Gnome sound-video

Nautilus

GNOME Files, formerly called Nautilus, is the official file manager for the GNOME desktop. The name is a play on words, evoking the shell of a nautilus to represent an operating system shell. Nautilus replaced Midnight Commander in GNOME 1.4 and was the default from version 2.0 onwards …(more)

Tags: Gnome desktop

Photos

Photos is an application to access, organize and share your photos in GNOME 3 desktop environment, a simple and elegant replacement for using Files to show the Pictures directory. …(more)

Tags: desktop Gnome graphics

Vino

Vino is the VNC server for the GNOME desktop environment …(more)

Tags: Gnome networking desktop

 

GNU

Patch

GNU Patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions …(more)

Tags: GNU programming

Mailman, the GNU Mailing List Manager

Mailman is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more …(more)

Tags: GNU networking

help2man

help2man produces simple manual pages from the –help and –version output of other commands …(more)

Tags: GNU programming

IceCat

GNU IceCat is the GNU version of the Firefox browser. Its main advantage is an ethical one: it is entirely free software. While the Firefox source code from the Mozilla project is free software, they distribute and recommend non-free software as plug-ins and addons. Also their trademark license restricts distribution in several ways incompatible with freedom 0 …(more)

Tags: GNU browsers

Bision

Bison is a general-purpose parser generator that converts an annotated context-free grammar into a deterministic LR or generalized LR (GLR) parser employing LALR(1) parser tables. As an experimental feature, Bison can also generate IELR(1) or canonical LR(1) parser tables. Once you are proficient with Bison, you can use it to develop a wide range of language parsers, from those used in simple desk calculators to complex programming languages …(more)

Tags: GNU programming

RCS

The Revision Control System (RCS) manages multiple revisions of files. RCS automates the storing, retrieval, logging, identification, and merging of revisions. RCS is useful for text that is revised frequently, including source code, programs, documentation, graphics, papers, and form letters …(more)

Tags: GNU programming

Parallel

GNU parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU parallel can then split the input and pipe it into commands in parallel. …(more)

Tags: GNU console

Libtool

GNU Libtool is a computer programming tool from the GNU build system used for creating portable compiled libraries.Libtool helps manage the creation of static and dynamic libraries on various Unix-like operating systems. Libtool accomplishes this by abstracting the library-creation process, hiding differences between various systems …(more)

Tags: GNU programming

LibreJS

GNU LibreJS aims to address the JavaScript problem described in Richard Stallman’s article The JavaScript Trap. LibreJS is a free add-on for GNU IceCat and other Mozilla-based browsers. It blocks nonfree nontrivial JavaScript while allowing JavaScript that is free and/or trivial …(more)

Tags: GNU

GDB

GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes — or what another program was doing at the moment it crashed …(more)

Tags: GNU programming

FreeIPMI

FreeIPMI provides in-band and out-of-band IPMI software based on the IPMI v1.5/2.0 specification. The IPMI specification defines a set of interfaces for platform management and is implemented by a number vendors for system management. The features of IPMI that most users will be interested in are sensor monitoring, system event monitoring, power control, and serial-over-LAN (SOL) …(more)

Tags: GNU system monitoring

nano

GNU nano is a small and friendly text editor. Besides basic text editing, nano offers many extra features like an interactive search and replace, go to line and column number, auto-indentation, feature toggles, internationalization support, and filename tab completion …(more)

Tags: GNU console text-editor

Automake is a tool for automatically generating Makefile.in files from files called Makefile.am. Each Makefile.am is basically a series of make variable definitions, with rules being thrown in occasionally. The generated Makefile.ins are compliant with the GNU Makefile standards …(more)

Tags: GNU programming

Chess

GNU Chess is a chess-playing program. It can be used to play chess against the computer on a terminal or, more commonly, as a chess engine for graphical chess frontends such as XBoard …(more)

Tags: GNU games

UnRTF

UnRTF is a command-line program written in C which converts documents in Rich Text Format (.rtf) to HTML, LaTeX, troff macros, and RTF itself …(more)

Tags: GNU

 

freedesktop.org

libinput

libinput is a library to handle input devices in Wayland compositors and to provide a generic X.Org input driver. It provides device detection, device handling, input device event processing and abstraction so minimize the amount of custom input code compositors need to provide the common set of functionality that users expect …(more)

Tags: freedesktop

libqmi

libqmi is a glib-based library for talking to WWAN modems and devices which speak the Qualcomm MSM Interface (QMI) protocol …(more)

Tags: freedesktop networking

libmbim

libmbim is a glib-based library for talking to WWAN modems and devices which speak the Mobile Interface Broadband Model (MBIM) protocol …(more)

Tags: freedesktop networking

Farstream

The Farstream (formerly Farsight) project is an effort to create a framework to deal with all known audio/video conferencing protocols. On one side it offers a generic API that makes it possible to write plugins for different streaming protocols, on the other side it offers an API for clients to use those plugins. The main target clients for Farstream are Instant Messaging applications. These applications should be able to use Farstream for all their Audio/Video conferencing needs without having to worry about any of the lower level streaming and NAT traversal issues …(more)

Tags: freedesktop

AppStream

The AppStream software provides basic tools to build an AppStream database. It also provides libappstream, a library which makes it easy to write software-center-like applications by providing access to the AppStream metadata. …(more)

Tags: freedesktop

HarfBuzz

HarfBuzz is an OpenType text shaping engine …(more)

Tags: freedesktop

AccountsService

AccountsService is a D-Bus service for accessing the list of user accounts and information attached to those accounts. AccountsService has been developed in and is used by the GNOME project but should be usable in other desktops. It is a young project and is being kept pliable to update to requirements as they arise. See also SSSD which may replace / absorb AccountsService in the future …(more)

Tags: freedesktop

PulseAudio

PulseAudio is a sound system for POSIX OSes, meaning that it is a proxy for your sound applications. It allows you to do advanced operations on your sound data as it passes between your application and your hardware. Things like transferring the audio to a different machine, changing the sample format or channel count and mixing several sounds into one are easily achieved using a sound server. …(more)

Tags: freedesktop sound-video

ModemManager

ModemManager is a DBus-activated daemon which controls mobile broadband (2G/3G/4G) devices and connections. Whether built-in devices, USB dongles, bluetooth-paired telephones, or professional RS232/USB devices with external power supplies, ModemManager is able to prepare and configure the modems and setup connections with them. 1.x is the stable series of ModemManager using the improved /org/freedesktop/ModemManager1 interface …(more)

Tags: freedesktop networking

Fontconfig

Fontconfig is a library for configuring and customizing font access …(more)

Tags: freedesktop

 

Advertisements

2 thoughts on “Linux Software Releases, January 2015

  1. Pingback: 1p – Project of the Month: seccomp-bpf – Exploding Ads

  2. Pingback: Links 8/2/2015: Fluxbox 1.3.7, GNU Lightning 2.1.0 | Techrights

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s