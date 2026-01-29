news
LWN on Rootkit, Cleanup on Aisle fsconfig(), Task-level io_uring Restrictions, and More
-
A free and open-source rootkit for Linux
While there are several rootkits that target Linux, they have so far not fully embraced the open-source ethos typical of Linux software. Luckily, Matheus Alves has been working to remedy this lack by creating an open-source rootkit called Singularity for Linux systems. Users who feel their computers are too secure can install the Singularity kernel module in order to allow remote code execution, disable security features, and hide files and processes from normal administrative tools. Despite its many features, Singularity is not currently known to be in use in the wild — instead, it provides security researchers with a testbed to investigate new detection and evasion techniques.
Alves is quite emphatic about the research nature of Singularity, saying that its main purpose is to help drive security research forward by demonstrating what is currently possible. He calls for anyone using the software to ""be a researcher, not a criminal"", and to test it only on systems where they have explicit permission to test. If one did wish to use Singularity for nefarious purposes, however, the code is MIT licensed and freely available — using it in that way would only be a crime, not an instance of copyright infringement.
-
Cleanup on aisle fsconfig()
As part of the process of writing man pages for the "new" mount API, which has been available in the kernel since 2019, Aleksa Sarai encountered a number of places where the fsconfig() system call—for configuring filesystems before mounting—needs to be cleaned up. In the 2025 Linux Plumbers Conference (LPC) session that he led, Sarai wanted to discuss some of the problems he found, including at least one with security implications. The idea of the session was for him to describe the various bugs and ambiguities that he had found, but he also wanted attendees to raise other problems they had with the system call.
Christian Brauner, who helped organize the "Containers and checkpoint/restore" microconference (and LPC as well), introduced the session by referring to the ""horrific design"" of fsconfig()—something that Sarai immediately disclaimed (""I didn't say that""). Sarai began by noting that there are now man pages for the mount API, which may help improve the adoption of the API by filesystems; his theory is that adoption lagged due to having to read the code in order to understand the system calls. ""Hopefully, this is at least a slight improvement.""
-
Task-level io_uring restrictions
The io_uring subsystem is more than an asynchronous I/O interface for Linux; it is, for all practical purposes, an independent system-call API. It has enabled high-performance applications, but it also brings challenges for code built around classic, Unix-style system calls. For example, the seccomp() sandboxing mechanism does not work with it, causing applications using seccomp() to disable io_uring outright. Io_uring maintainer Jens Axboe is seeking to improve that situation with a rapidly evolving patch series adding a new restrictive mechanism to that subsystem.
The core feature of seccomp() is restricting access to system calls; an installed filter can examine each system call (along with its arguments) made by a thread and decide whether to allow the call to proceed or not. The operations provided by io_uring are analogous to system calls, so one might well want to restrict them in the same way. But seccomp() has no visibility into — and thus no way to control — operations requested via io_uring. Running a program under seccomp() and allowing it access to io_uring almost certainly gives that program a way to bypass the sandboxing entirely.
-
Removing a pointer dereference from slab allocations [LWN.net]
Al Viro does not often stray outside of the core virtual filesystem area; when he does, it is usually worthy of note. Recently, he wandered into memory management with this patch series to the slab allocator and some of its users. Kernel developers will often put considerable effort into small optimizations, but it is still interesting to look at just how much effort has gone toward the purpose of avoiding a single pointer dereference in some memory-allocation hot paths.