22 Jan 2025 tags: audit lsm selinux Linux v6.13 was released on Sunday, with the Linux v6.14 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and Audit pull requests which have been merged into Linus’ tree.
LSM
-
Migrate away from the legacy LSM secctx string label interface to a new lsm_context structure. While this presents a relatively minor change to most callers within the kernel, this improvement makes it easier to support multiple simultaneous LSMs now, and in the future when new LSMs are added.
-
Modify the LSM’s kernel build configuration to only build the LSM framework’s common audit code when both the LSM and audit subsystems are enabled. This should provide a minor build time improvement for those who build kernels with the LSM enabled but without audit support.
-
Add a sanity check to the SafeSetID policy loading functions to restrict the policy size to KMALLOC_MAX_SIZE. As SafeSetID policy rules take the form of “UID:UID”, this limit is well beyond any legitimate policy rule, and should serve to limit a number of automated fuzzing reports that we have recently received against SafeSetID.
-
A number of smaller improvements to the kernel selftests, constification of some function parameters, removing redundant assignments, and local variable renames to improve readability.
SELinux
-
Add support for SELinux extended permissions, aka “xperms”, in conditional policy blocks. This allows admins to toggle the granular xperms using SELinux booleans, helping pave the way for greater use of xperms in general purpose SELinux policies. This change bumps the maximum SELinux policy version to 34.
-
Fix a SELinux/SCTP bind(2) error code inconsistency when the “extended_socket_class” policy capability is not enabled in the loaded policy.
-
Minor change to the SELinux kernel makefile to ensure that the generated SELinux header files are properly cleaned up between kernel builds.
-
A number of smaller changes to reduce code duplication, reduce pointer lookups, migrate void pointers to defined types, simplify code, constify function parameters, and correct iterator types.
Audit
- Fix a problem where pathnames were not being properly logged by audit in the audit PATH record. Symptoms would include a “name=(null)” entry instead of the valid file pathname. Users who have noticed missing pathnames are encouraged to try Linux v6.14-rc1, or later.
22 Jan 2025 tags: audit lsm selinux Linux v6.13 was released on Sunday, January 19th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.
LSM
-
Leverage the new get_task_comm() API to get the current task’s “comm” string as opposed to accessing it directly. While minor, this affects the LSM framework’s common auditing code as well as SELinux.
-
Minor IMA variable renaming to fix a variable name collision related to the lsm_prop changes merged during the v6.13 merge window.
SELinux
-
Make better use of the sk_to_full_sk() helper in the SELinux networking code to fix a regression caused by networking changes introduced during the v6.13 merge window.
-
Fix a problem when both the ioctl and netlink extended permissions, aka “xperms”, are used in a single domain.
-
Ignore unknown extended permissions, aka “xperms”, when loading SELinux policy. This should make it easier to support newer policies on older kernels in the future as unknown xperms will no longer result in an error.
Audit
- Minor code shuffling to work around a GCC bug that was falsely reporting a write beyond the bounds of an object. There should be no user visible impact to this change.
In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.
19 Dec 2024 tags: audit lsm selinux This post is a bit later than normal, my apologies for that, but Linux v6.12 was released on Sunday, November 17th with the Linux v6.13 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and Audit pull requests which have been merged into Linus’ tree.
LSM
-
Start the process of moving away from the existing secid integer LSM identifier in the kernel towards a richer lsm_prop structure. This change will enable us to remove some of the translation steps that are necessary in many LSMs when interacting with the rest of the Linux kernel, and should make is easier to support different LSMs in the future.
-
Decouple the fsnotify subsystem from the LSM, allowing the two subsystems to be selected independently from one another when building the Linux kernel.
SELinux
- In Linux v4.3 we introduced the concept of “extended permissions” to enable SELinux to enforce access controls on individual ioctl(2) commands. Starting in Linux v6.13 administrators will now also be able to use the extended permission functionality to enforce access controls on individual netlink(7) messages. Thiébaud Weksteen, the patch’s author, provides some additional information and examples in the commit description:
Reuse the existing extended permissions infrastructure to support policies based on the netlink message types.
A new policy capability “netlink_xperm” is introduced. When disabled, the previous behaviour is preserved. That is, netlink_send will rely on the permission mappings defined in nlmsgtab.c (e.g, nlmsg_read for RTM_GETADDR on NETLINK_ROUTE). When enabled, the mappings are ignored and the generic “nlmsg” permission is used instead.
The new “nlmsg” permission is an extended permission. The 16 bits of the extended permission are mapped to the nlmsg_type field.
Example policy on Android, preventing regular apps from accessing the device’s MAC address and ARP table, but allowing this access to privileged apps, looks as follows:
allow netdomain self:netlink_route_socket {
create read getattr write setattr lock append connect getopt
setopt shutdown nlmsg
};
allowxperm netdomain self:netlink_route_socket nlmsg ~{
RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
};
allowxperm priv_app self:netlink_route_socket nlmsg {
RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
};
The constants in the example above (e.g., RTM_GETLINK) are explicitly defined in the policy.
It is possible to generate policies to support kernels that may or may not have the capability enabled by generating a rule for each scenario. For instance:
allow domain self:netlink_audit_socket nlmsg_read;
allow domain self:netlink_audit_socket nlmsg;
allowxperm domain self:netlink_audit_socket nlmsg { AUDIT_GET };
The approach of defining a new permission (“nlmsg”) instead of relying on the existing permissions (e.g., “nlmsg_read”, “nlmsg_readpriv” or “nlmsg_tty_audit”) has been preferred because:
- This is similar to the other extended permission (“ioctl”);
- With the new extended permission, the coarse-grained mapping is not necessary anymore. It could eventually be removed, which would be impossible if the extended permission was defined below these.
- Having a single extra extended permission considerably simplifies the implementation here and in libselinux.
- The “/sys/fs/selinux/user” interface has been marked as deprecated in the kernel. The deprecation notice provides some additional information:
The selinuxfs “user” node allows userspace to request a list of security contexts that can be reached for a given SELinux user from a given starting context. This was used by libselinux when various login-style programs requested contexts for users, but libselinux stopped using it in 2020. Kernel support will be removed no sooner than Dec 2025.
- Cleaned the SELinux build scripts and tooling. We relocated the “genheaders” tool to the “security/selinux” directory and corrected our usage of kernel headers to make it easier to build the Linux kernel on different systems.
Audit
- Minor cleanups involving corrections to the kdoc function parameters and increased usage of the
str_yes_no() kernel helper function.
