Linux 4.15 Released02 Feb 2018 tags: audit selinux
Linux v4.15 was released on Sunday, January 28th; this is a quick summary of the SELinux and audit changes.
The file extended attribute permission code was changed to use the common capability code for any non-SELinux extended attributes. This fixed a problem with file capabilities in user namespaces.
Converted the SELinux internal hash table implementation to use kmem_cache, reducing runtime memory consumption by a small amount.
Various small code cleanups to remove build warnings and unneeded variable assignments.
Due to a large number of PATH records created by tracefs and debugfs, a new mechanism was introduced which allows the filtering of PATH records based on the filesystem type. Richard Guy Briggs provides a good explanation of this new feature in the patch's description:
From: Richard Guy Briggs
audit: filter PATH records keyed on filesystem magic
Tracefs or debugfs were causing hundreds to thousands of PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Provide a method to ignore these large number of PATH records from overwhelming the logs if they are not of interest. Introduce a new filter list "AUDIT_FILTER_FS", with a new field type AUDIT_FSTYPE, which keys off the filesystem 4-octet hexadecimal magic identifier to filter specific filesystem PATH records.
An example rule would look like:
-a never,filesystem -F fstype=0x74726163 -F key=ignore_tracefs
-a never,filesystem -F fstype=0x64626720 -F key=ignore_debugfs
Arguably the better way to address this issue is to disable tracefs and debugfs on boot from production systems.
Fixed a bug where the kernel was not initializing the audit subsystem early enough at boot and was missing audit records generated by PID 1 (init/systemd/etc.). In addition to fixing this particular bug there were a number of small code cleanups and general improvements to the audit initialization code.
Fixed a bug where the kernel did not recognize when the audit daemon was attempting to shut down the kernel/auditd connection by sending an AUDIT_SET message with a PID 0 value.
The audit file and directory write syscall filters were updated with additional syscalls.
An old and unused function, audit_log_secctx(), was removed.