The 2017 Linux Security Summit CFP

The 2017 Linux Security Summit Call for Participation is now open, with a deadline of June 5th, 2017. The summit will be held at the JW Marriott LA Live in Los Angeles, CA on September 14th and 15th.

The Linux Security Summit is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. Those who are interested in participating can find the necessary information and submission form at the Linux Foundation link below.

Libseccomp 2.3.2 Released

We've just released a new version of libseccomp, libseccomp version 2.3.2. The libseccomp library provides an easy to use, platform independent interface to the Linux enhanced syscall filtering mechanism.

This new version of libseccomp builds upon the previous release and should be a drop-in replacement for the 2.x releases. All users are encouraged to upgrade to the new version at their earliest convenience.

Changes in the 2.3.2 release include:

  • Achieved full compliance with the CII Best Practices program
  • Added Travis CI builds to the GitHub repository
  • Added code coverage reporting with the "--enable-code-coverage" configure flag and added Coveralls to the GitHub repository
  • Updated the syscall tables to match Linux v4.10-rc6+
  • Support for building with Python v3.x
  • Allow rules with the -1 syscall if the SCMP_FLTATR_API_TSKIP attribute is set to true
  • Several small documentation fixes

Finally, thank you to everyone who has submitted suggestions, provided testing help, and contributed patches to the project.

Linux 4.10 Released

Linux v4.10 was released this past weekend on Sunday, February 19th; this is a quick summary of the SELinux and audit changes.

SELinux

  • Fix a GFS2/SELinux deadlock where one task is initializing an inode while another task is invalidating the SELinux label on the same inode. The fix involved changing the SELinux inode_security_struct lock from a mutex to a spinlock and introducing a new SELinux label state, "PENDING". These two changes allow SELinux to mark a pending inode initialization and detect if the inode's label was invalidated during the initialization process.

  • Add a build time check to catch the addition of new capabilities and force an update to the associated SELinux code. The simple fix was to compare the CAP_LAST_CAP sentinel value with the last known defined capability and cause a compilation failure, via the "#error" compiler directive, when there is a mismatch.

  • Normalize input to /sys/fs/selinux/enforce so that the stored value is only ever 1 (true) or 0 (false). This change should have no impact to the kernel, it only checks for non-zero (true) or 0 (false), but some userspace tools check for a value of 1 instead of a non-zero true value.

  • Fix a problem where clearing /proc/self/attr/fscreate could result in an unwanted kernel memory access (CVE-2017-2618).

  • A number of minor improvements and cleanups to the SELinux inode handling.

Audit

  • Major rework of the audit backlog queue which moves the audit multicast writes from the thread of the task which generates the event to a separate kernel thread, much like we do for the audit unicast/auditd messages. Moving the multicast writes had a ripple effect on the entire audit queuing mechanism which brought about a number of improvements which should reduce the per-task audit overhead when audit is enabled, and help make audit more robust under heavy load.

  • Add kernel support for audit filtering based on the session ID. See the GitHub feature page for more information.

  • Fix audit's use of fsnotify to prevent sleeping on a spinlock. The fix involved making sure that the proper lock ordering was followed, meaning that we took the fsnotify_group's mutex before taking the fsnotify_mark's spinlock.

  • Fix a problem where audit was needlessly duplicating fsnotify_mark structures and leaking a reference to the associated fsnotify group.

  • Fix a problem where the kernel wasn't properly holding a reference for the auditd communication socket which could result in a race condition when resetting the connection with auditd.

  • Ensure consistent logging of the CONFIG_CHANGE audit record. The record's "op" field is not encoded so the value should not be surrounded with double quotes.