Operating Systems 2020W Lecture 22

From Soma-notes

Video

Video from the lecture given on April 1, 2020 is now available.

Notes

Lecture 22
----------

 - scheduling
 - start semester review
 - answer questions about tutorials 8, 9, and assignment 4
 - final exam review session

 - multiple choice A4 questions due before lecture on Friday
     - will go over them in class

 - culearn submissions for A4 multiple choice will open this evening
     - just fiddling with cuLearn
     - note that answers may be randomized relative to those
       on the wiki, so make sure you select the right answers
     - there's no time limit, but has to be completed by 2:30 PM Friday
     
 - will also open submissions to short answers for A4
     - completely optional, but should be also submitted by class
       on Friday as I will distribute solutions to them
     - If you mess up on the multiple choice questions but
       submit the short answers, we can grade them, but
       only on request

 - Final exam review session
     - April 9th, 2:30 PM if that works for everyone?
        - please answer the poll, if too many people can't
	  make it will consider other times
     - will livestream and record as usual, can ask questions in advance
       (and of course on discord)
     - will go through topics as before for midterm

 - Final exam on April 13, 7 PM
     - will post on cuLearn at 7 PM
     - upload solutions as a text file by 9 PM
     - open book, open internet, but NO COLLABORATION
     - if you have PMC accommodations, submit after your extra time
       (i.e, with 50% more time, submit by 10 PM)


Thoughts related to Zoom
 - if you download and run code in Linux, normally this code has full access
   as whatever user runs the program
     - so if I run a program, it can do everything that I can do as a user
 - this is potentially a problem with proprietary software, because
   who knows what it could do?

Linux distributions have developed ways to distribute software outside of normal packaging
 - big concern: limiting access of third party code
 - unlike software coming from the distribution, there's been no
   third party review

snap and flatpak are two standards for distributing software for linux systems
in a self-contained way
 - allows third party to update code separately from linux distribution
 - works accross linux distributions
 - key idea: installed software is confined in some way (generally)

snaps are confined in multiple ways
 - have their own filesystem, with local resources mounted to specified locations in their filesystem
    - can't access files outside of their filesystem by default
 - yes, this is a kind of container!

This sort of confinement is standard practice on iOS
 - Android has per-app permissions but Android apps aren't as isolated
   as iOS apps (but they have gotten much closer in more recent releases
   of both systems)

 - Microsoft was trying to push similar tech with their app store,
   but that hasn't had as much traction due to legacy app concerns
   (and protests from existing software developers, companies)

 - Apple is trying to make 3rd party apps more confined when installed
   through the Mac app store, but they also have push back (but have
   been more successful than Microsoft)

Classic desktop environments didn't confine apps, so confinement was really developed for mobile systems and is being retrofitted onto desktops and servers.

If I'm going to install software that isn't part of Ubuntu, I try to do it with a snap if at all possible.  (Ubuntu -> snap, Red Hat -> flatpak)

snaps have no performance reduction, except that snaps can take up more disk and RAM
  - use their own libraries for portability, can't depend on what comes
    with the distribution

the "zoom sending to facebook" thing seems to be them using the Facebook SDK to add "login with facebook" functionality and it phoning home by default
  - but when you dig deeper there are a number of other shady things,
    like leaving code around after an uninstall so zoom will be auto-installed
    when a user attempts to join a zoom call (on MacOS I believe)

snaps are completely optional, the base ubuntu system doesn't use it except for a few popular apps (e.g., chromium)

process-control allows you to control arbitrary processes (not sure the mechanism, but I assume send signals, run ptrace, etc).  I think it is just for processes you own, but that is bad enough.  (I hope it isn't for all system processes but it may be!)

you can control privileges granted to zoom when in a snap - but you can't if
 you install it with a .deb (the default)

It is always safer to run apps in a browser rather than installing them
  - installed versions always have more privileges
  - code in browsers is carefully isolated (sandboxed)

ubuntu software center installs debs and snaps
  - I believe it is curated, FWIW
  - confinement only happens with snaps

When we talk about software in Linux distributions, all software isn't equally trusted
 - there is always a "main" repository and then extra ones
 - you can trust the main one (you have to, have no choice), but
   the other repositories, it depends

In ubuntu terms, main is the most trustworthy, while universe, multiverse,
and restricted are less trustworthy (probably okay but only install what you really use).

Then there are snaps (confined mostly, but depends), ppa's (specific repositories for apps, often put together by original developers, e.g. bcc has a ppa, no confinement).  There it depends too

Always risks when installing software!

A "jail break" is breaking the app-level confinement on iOS devices.  So while it lets you do more, it also fundamentally reduces your security because apps are no longer confined (jailed).
  - jail is an old BSD tech for confining applications,
    genesis of many ideas around modern containers

This material is not covered in the assignments or tutorials
  - so purely optional
  - however, if you can't follow what I'm saying you may be missing
    certain key concepts from earlier

Browser extensions are essentially web pages with limited confinement
  - they have permissions, but they get much more access (by default and
    with commonly asked for permissions) than regular pages
  - it is normal for a browser extension to see every URL you type in,
  - it is also normal for extensions to be able to mess with the contents
    of any page and to access and change arbitrary files
    (regular web pages can't do this!)
  - so again only install browser extensions if you really need them,
    and then consider ways to restrict them (limit permissions, use
    multiple browser profiles)

Containers are a browser-level way to confine information
 - limit scope of cookies, other saved data
 - can limit tracking and other attacks

Chrome has profiles (different "users") apparently, but I don't think they
have a container equivalent

Note general theme: put things in boxes to improve security!
 - too many kinds of boxes

The actual memory allocators in the Linux kernel are outside the scope
of this class
 - tutorial 8 shows a bit of what is going on under the hood, but
   that is just a start
 - is not in the assignments and thus won't be on the final

#define headers

remeber in C we have the C compiler and the C pre-processor
 - everything starting with # is a pre-processor directive
 - can define and run macros that change C code in lots of ways
     - people have used it to turn C into almost a completely
       different language
 - pre-processor directives can be added at compile time with -D
    - equivalent to #define in the source code
    - allows a way to change how code is compiled without
      changing the code itself (just change a #define on the command line
      using -D)


When you see a variable starting with __ in C source code, it normally
means it is private in some way
 - this isn't part of the API
 - this isn't the function or variable you are looking for,
   move along!
 - (note that C doesn't restrict the scope of functions so need
    conventions to say what is internal and what isn't)

Remember system calls are a different thing than function calls
 - invoked directly from userspace using a special assembly language instruction
 - as a result, when you get into the kernel, system call code isn't
   called like a normal C function.  We need assembly glue code
 - special declaration of system call entry functions takes care of the
   glue code.  Once we're past it, we can just call normal C functions

Don't think about weird things like drop_caches for Q1 on A4