Linux 4.15 Released

Linux v4.15 was released on Sunday, January 28th; this is a quick summary of the SELinux and audit changes.

SELinux

  • The file extended attribute permission code was changed to use the common capability code for any non-SELinux extended attributes. This fixed a problem with file capabilities in user namespaces.

  • Converted the SELinux internal hash table implementation to use kmem_cache, reducing runtime memory consumption by a small amount.

  • Various small code cleanups to remove build warnings and unneeded variable assignments.

Audit

  • Due to a large number of PATH records created by tracefs and debugfs, a new mechanism was introduced which allows the filtering of PATH records based on the filesystem type. Richard Guy Briggs provides a good explanation of this new feature in the patch's description:

    From: Richard Guy Briggs

    audit: filter PATH records keyed on filesystem magic

    Tracefs or debugfs were causing hundreds to thousands of PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup:
      -a always,exit -F arch=x86_64 -S init_module -F key=mod-load

    Provide a method to ignore these large number of PATH records from overwhelming the logs if they are not of interest. Introduce a new filter list "AUDIT_FILTER_FS", with a new field type AUDIT_FSTYPE, which keys off the filesystem 4-octet hexadecimal magic identifier to filter specific filesystem PATH records.

    An example rule would look like:
      -a never,filesystem -F fstype=0x74726163 -F key=ignore_tracefs
      -a never,filesystem -F fstype=0x64626720 -F key=ignore_debugfs

    Arguably the better way to address this issue is to disable tracefs and debugfs on boot from production systems.

  • Fixed a bug where the kernel was not initializing the audit subsystem early enough at boot and was missing audit records generated by PID 1 (init/systemd/etc.). In addition to fixing this particular bug there were a number of small code cleanups and general improvements to the audit initialization code.

  • Fixed a bug where the kernel did not recognize when the audit daemon was attempting to shut down the kernel/auditd connection by sending an AUDIT_SET message with a PID 0 value.

  • The audit file and directory write syscall filters were updated with additional syscalls.

  • An old and unused function, audit_log_secctx(), was removed.

DevConf.cz 2018

Another year, another DevConf.cz in the books. Thanks to everyone who attended, volunteered, and spoke; it was a great conference and I'm once again looking forward to next year. I should also mention that for the first time ever, DevConf will be expanding to two other locations in 2018: Boston and Bangalore, check the websites for more details.

At this year's DevConf.cz I gave a short talk on an effort we are calling "SELinux Modularity", a project where we are working on integrating SELinux into the larger Fedora Modularity effort.

2017 Year In Review

With 2017 coming to an end in a little over a week, it's a good time to look back on what the SELinux, audit, and libseccomp projects have accomplished this year, and recognize the contributors that made it all possible.

In 2017 we had five Linux Kernel releases, one SELinux userspace release, ten audit userspace releases, and two libseccomp releases.

An Open Source project is only as good as it's contributors, so I want to thank everyone who contributed code in 2017, as well as those who contributed code that hasn't yet made it into the main repositories (unfortunately not represented in the lists below).

Contributors to the SELinux kernel and userspace code bases (sorted by number of commits).

Nicolas Iooss
Stephen Smalley
James Carter
Petr Lautrbach
Markus Elfring
Alan Jenkins
Daniel Jurgens
Vit Mojzis
Jason Zaman
Richard Haines
Jan Zarsky
Dan Walsh
Steve Lawrence
James Morris
Colin Ian King
Florian Westphal
Patrick Steinhardt
Chenbo Feng
Corentin LABBE
Eric W. Biederman
Antonio Murdaca
Kees Cook
Luis Ressel
Jeff Vander Stoep
Matthias Kaehlcke
Ingo Molnar
Gary Tierney
Dan Cashman
Tom Cherry
Christian Göttsche
Miroslav Grepl
Nick Kralevich
Guido Trentalancia
Greg Kroah-Hartman
Paul Moore
Kyeongdon Kim
Richard Guy Briggs
Arvind Yadav
Michal Hocko
Julien Gomes
Scott Mayhew
Junil Lee
Al Viro
Tetsuo Handa
Eric Biggers
Dan Carpenter
David Ahern
Alexander Potapenko
Alexey Dobriyan
Dave Jiang
Krister Johansen
Casey Schaufler
Yongqin Liu
Lukas Vrabec
Grégoire Colbert
Laurent Bigonville
Bernhard M. Wiedemann
Colin Walters
Nikola Forró
Ville Skyttä
Lokesh Mandvekar
Thomas Petazzoni
Karl MacMillan
Sandeep Patil

Contributors to the audit kernel code base (sorted by number of commits). Unfortunately I'm unable to include the audit userspace contributors as the audit userspace git log is not a reliable source of contributor information for 2017.

Paul Moore
Jan Kara
Richard Guy Briggs
Elena Reshetova
Nicholas Mc Guire
Steve Grubb
Greg Kroah-Hartman
Deepa Dinamani
Casey Schaufler
Geliang Tang
Mel Gorman
Tyler Hicks
Shu Wang
Derek Robson
Johannes Berg

Contributors to the main libseccomp code base as well as the Golang and artwork repositories (sorted by number of commits).

Paul Moore
Tyler Hicks
Matthew Heon
Jay Guo
Tobias Klauser
Luca Bruno
valoq
Vladimir Rutsky
Justin Cormack
NODA, Kai
K.C. Wong
Kyle R. Conway

A big thanks from me to all of you! I hope you have a safe, happy, and exciting 2018.