As you may know, Debian 7.0 (codename 'wheezy') includes Linux 3.2.
I'm maintaining the 3.2.y stable series at kernel.org which will
collect bug fixes and some new hardware support as nominated by
kernel developers and distributors, following the usual
stable
kernel rules.
The Debian package has some additional features not present in
mainline Linux 3.2.
Union filesystem
Debian Live needs a union filesystem to allow writing files on top
of the read-only live system image. To support this, we include
Aufs developed by Junjiro
R. Okajima. I hope that Linux will gain union mount or union
filesystem support in time for the next release, but currently it
doesn't take much work on our part to integrate.
Security hardening
-
Magic SysRq functions are restricted by default. This can be
changed through sysctl kernel.sysrq.
-
Network protocols AF_IEEE802154, AF_RDS and AF_DECnet must be
explicitly loaded; they cannot be loaded just by creating a
socket.
-
The default permissions on the debugfs root are 700, i.e.
accessible only to root. (This change has also been made in
Linux 3.7.)
-
The symlink and hard
link restrictions from Linux 3.6 (and previously grsecurity,
Openwall and Ubuntu) are included and enabled by default. This
can be changed through sysctls
fs.protected_symlinks and fs.protected_hardlinks.
-
The procfs hidepid/hidegid feature from Linux 3.4 is included,
though not enabled by default. When enabled, this prevents users
from reading the state of each others' processes through procfs,
which can in some cases be security-sensitive.
Bufferbloat
I backported two big pieces of the solution to bufferbloat:
-
Byte Queue Limits (BQL) allows network drivers to reduce
unnecessary buffering in their hardware transmit queues. This has
been implemented in the bnx2, bnx2x, e1000e, forcedeth, igb,
ixgbe, sfc, skge and tg3 drivers in Linux 3.3 onwards.
Documentation is in
the
commit that added it, but you're unlikely to need it.
-
The CoDel queue
management algorithm can reduce unnecessary buffering in software
transmit queues. FQ CoDel adds an element of 'fairness' between
multiple network flows. These were implemented as the queue
disciplines codel and fq_codel in Linux 3.5. They can be selected
using the tc command, e.g.:
tc qdisc replace dev eth0 root fq_codel
posted at: 03:35 | path: / | permanent link to this entry