In RHEL 8.6, SELinux, the fapolicyd framework, and Policy-Based Decryption (PBD) for automated unlocking of LUKS-encrypted drives support the SAP HANA database management system. See the Red Hat Enterprise Linux Security Hardening Guide for SAP HANA 2.0 Knowledgebase article for more information.

navigation code unlock 8.4 192

The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code.

The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.

Extended Berkeley Packet Filter (eBPF) is a complex technology which allows users to execute custom code inside the Linux kernel. Due to its nature, the eBPF code needs to pass through the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures (CVE) instances, where bugs in this code could be misused for unauthorized operations. To mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users only. It is possible to enable eBPF for unprivileged users by using the kernel command-line parameter unprivileged_bpf_disabled=0. Note that applying unprivileged_bpf_disabled=0 disqualifies your kernel from Red Hat support and opens your system to security risks. In addition, Red Hat urges you to treat processes with the CAP_BPF capability as if the capability was equal to CAP_SYS_ADMIN.

A new nginx-mod-devel package has been added to the nginx:1.20 module stream. The package provides all necessary files, including RPM macros and nginx source code, for building external dynamic modules for nginx.

With this update libffi's self-modifying code takes advantage of a feature in the RHEL 8 kernel to create a suitable file independent of any file system. As a result, libffi's self-modifying code no longer depends on making part of the filesystem insecure.

Previously, the Clevis utility, which performs automated unlocking of LUKS-encrypted volumes, stopped on certain system configurations. Consequently, encrypted volumes were not unlocked automatically, and the administrator had to provide a passphrase manually. In some cases, Clevis restarted after the administrator pressed Enter and unlocked the encrypted volumes. With this update, the utility has been fixed to not stop on these configurations, and the process of automated unlocking now works properly.

Previously, the dmidecode command failed to decode the DDR5 memory information. Consequently, dmidecode --type 17 returned the message. The latest update of the package (dmidecode-3.3-3.el8) has fixed this problem. As a result, dmidecode --type 17 now successfully decodes DDR5 memory information.

Previously, the initialization code of the dynamic loader, which is linked into statically linked binaries, did not initialize a link map variable correctly. Consequently, statically linked applications crashed if LD_LIBRABY__PATH contained a dynamic token string. With this update statically linked applications no longer crash.

Previously, attempting to migrate a virtual machine (VM) using the multifd feature of QEMU caused the migration to fail and the VM to terminate unexpectedly. The underlying code has been fixed, and multifd migration now works as expected.

Previously, when using a virtual machine (VM) with a RHEL 8 guest operating system on the PowerVM hypervisor, attempting to remove an IBM Power Virtual Fibre Channel (IBMVFC) device from the running VM failed. Instead, it displayed an outstanding translation error. The underlying code has been fixed and live hot unplugs of IBMVFC device now work correctly on PowerVM.

Software Guard Extensions (SGX) is an Intel technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology.

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions.

The virtual machine includes a new system call bpf(), which enables creating various types of maps, and also allows to load programs in a special assembly-like code. The code is then loaded to the kernel and translated to the native machine code with just-in-time compilation. Note that the bpf() syscall can be successfully used only by a user with the CAP_SYS_ADMIN capability, such as the root user. See the bpf(2) manual page for more information.

Heuristics are a set of commands executed locally on startup, cluster membership change, successful connect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finish successfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which partition should be quorate.

Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security attestation.

The classic domain controller mode that enabled administrators to run Samba as an NT4-like primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and settings to configure these modes will be removed in a future Samba release.

You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that is set to ignore any hard disk containing a iso9660 file system partition. This happens even when RHEL is installed without using a DVD.

GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter returns an EPERM error code for unknown system calls, coreutils might consequently report misleading EPERM error codes because EPERM can not be distinguished from the actual Operation not permitted error returned by a working statx() syscall.

In systemd, the default block deactivation code does not always handle complex stacks of virtual block devices correctly. In some configurations, virtual devices might not be removed during the shutdown, which causes error messages to be logged. To work around this problem, deactivate complex block device stacks by executing the following command:

This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on the maximum number of opened file descriptors. Since multiple file descriptors are opened for every new queue, the internal vTPM limit can be exceeded, causing the VM to fail.

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

An object becomes phantom reachable after it has been finalized. This change may cause the phantom reachable objects to be GC'ed earlier - previously the referent is kept alive until PhantomReference objects are GC'ed or cleared by the application. This potential behavioral change might only impact existing code that would depend on PhantomReference being enqueued rather than when the referent be freed from the heap.

Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear method to avoid memory leak because its referent is no longer referenced. In other words the get method is expected not to be called in common cases once the enqueuemethod is called. In the case when the get method from an enqueued reference object and existing code attempts to access members of the referent, NullPointerException may be thrown. Such code will need to be updated.

An object becomes phantom reachable after it has been finalized. This change may cause phantom reachable objects to be garbage collected earlier. Previously, the referent was kept alive until the associated PhantomReference objects were collected or cleared by the application. This behavioral change should only impact existing code that depends on a PhantomReference being enqueued rather than when the referent is freed from the heap.

Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear method to avoid a memory leak because its referent is no longer referenced. In other words, the get method is not expected to be called in common cases once the enqueue method has been called. In the case when the get method from an enqueued reference object and existing code attempts to access members of the referent, a NullPointerException may be thrown. Such code will need to be updated.

The Java SE 8 Enterprise Performance Pack follows the versioning format defined by JEP 322, and reports the actual VM version of 17.x, when, for example, java -version is invoked. However, for compatibility purposes, the sun.misc.Version methods jvmMajorVersion() and jvmMinorVersion() instead report the same VM version as Java SE 8 i.e. 25.x. This ensures that application code checking for a Java 8 runtime by looking for a major version greater than, or equal to, 25, will work correctly even though the actual VM version is 17.

The FlatProfiler, deprecated in JDK 9, has been made obsolete by removing the implementation code. The FlatProfiler was enabled by setting the -Xprof VM argument. The -Xprof flag remains recognized in this release; however, setting it will print out a warning message. 2ff7e9595c