Linux 4.11 Released

Linux v4.11 was released this past weekend on Sunday, April 30th; this is a quick summary of the SELinux and audit changes.

SELinux

  • A number of new SELinux object classes were added to support all of the known network socket address families, and code was introduced to make it easier for kernel developers to keep the SELinux subsystem in sync with the address family definitions. These new object classes provide policy developers a greater level of access control granularity by allowing them to write policy which targets specific protocols. In order to make use of these new object classes the SELinux policy must enable the "extended_socket_class" policy capability.

  • Add SELinux labeling support to the cgroup and cgroup2 pseudo filesystems. This should allow better control over applications, such as containers, which need to manage only certain portions of the system's cgroup configuration. In order to make use of this new functionality the SELinux policy must enable the "cgroup_seclabel" policy capability.

  • Add SELinux labeling support to TraceFS. This is required for Android compatibility on Linux v4.1 and above (TraceFS was introduced in Linux v4.1).

  • Allow SELinux context mounts of tmpfs, ramfs, and devpts in non-init user namespaces. This is required by many container runtimes such as Docker/runc/etc.

  • Change the kernel behavior so that SELinux policy booleans which are not labeled by the loaded policy are assigned the security initial SID label, previously the boolean was left unlabeled and any access was denied.

  • Additional error messages were added to the SELinux policy loading code so that policy load failures could be more easily diagnosed by administrators.

  • Remove the security_task_wait() LSM hook and the SELinux implementation. It turned out that this access control was more trouble than it was worth; risking soft lockups and zombie processes without any real security advantage.

  • Internal cleanups relating to how credentials were used in the SELinux subsystem. While this is a nice cleanup and simplification inside the kernel, there should be no user visible changes.

  • Internal shuffling of the process restrictions affecting /proc/<pid>/attr from the individual LSMs (including SELinux) to the proc subsystem. This helps eliminate code redundancy and ensures proper behavior across LSMs.

  • The SELinux LSM hooks are now marked as read-only after the system boots. This should help prevent malicious code from tampering with the LSM hooks.

Audit

  • Add the ability to reset the lost record counter. See the GitHub feature page for more information.

  • Log the name of the kernel module, via a new KERN_MODULE record, when the module is loaded into the kernel. See the GitHub feature page for more information.

  • Fixed a problem where the SOCKETCALL record was not generated for 32-bit syscalls on a 64-bit system. See the GitHub issue for more information.

  • Fix the kernel's audit daemon state tracking code. There were a number of issues relating to how the daemon's connection was tracked including locking problems and some synchronization oddities with network namespaces. The code in Linux v4.11 helps resolve these problems and also adds some additional improvements to the audit backlog queue handling in the kernel. It is worth noting that some users may still experience some lock issues with Linux v4.11 when the audit daemon first starts; this has been fixed in Linus' tree with commit 48d0e023af97 ("audit: fix the RCU locking for the auditd_connection structure") and should be part of the next Linux v4.11 stable release.

  • Adjust the KERNEL and ANOM_ABEND audit records so they are more consistent with the other audit records.

The 2017 Linux Security Summit CFP

The 2017 Linux Security Summit Call for Participation is now open, with a deadline of June 5th, 2017. The summit will be held at the JW Marriott LA Live in Los Angeles, CA on September 14th and 15th.

The Linux Security Summit is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. Those who are interested in participating can find the necessary information and submission form at the Linux Foundation link below.

Libseccomp 2.3.2 Released

We've just released a new version of libseccomp, libseccomp version 2.3.2. The libseccomp library provides an easy to use, platform independent interface to the Linux enhanced syscall filtering mechanism.

This new version of libseccomp builds upon the previous release and should be a drop-in replacement for the 2.x releases. All users are encouraged to upgrade to the new version at their earliest convenience.

Changes in the 2.3.2 release include:

  • Achieved full compliance with the CII Best Practices program
  • Added Travis CI builds to the GitHub repository
  • Added code coverage reporting with the "--enable-code-coverage" configure flag and added Coveralls to the GitHub repository
  • Updated the syscall tables to match Linux v4.10-rc6+
  • Support for building with Python v3.x
  • Allow rules with the -1 syscall if the SCMP_FLTATR_API_TSKIP attribute is set to true
  • Several small documentation fixes

Finally, thank you to everyone who has submitted suggestions, provided testing help, and contributed patches to the project.