Linux 5.2 Released

This post is a bit later than usual due to vacation, but Linux v5.2 was released on Sunday, July 7, 2019. The SELinux and audit highlights are below:

SELinux

  • Add proper per-file SELinux support for kernfs based filesystems such as cgroupfs. This is particularly interesting for container orchestrators that want to make use of cgroups with greater levels of SELinux access control granularity.

  • Change how we record raw SELinux labels in the audit log. Starting with Linux v5.1 when we encounter an invalid SELinux label we record the label using the "trawcon" field in the audit log, beginning in Linux v5.2 we treat these raw labels as untrusted and hex encode them.

  • A change was made to disallow changing the LSM credentials via /proc/self/attr when the task's credentials are overridden. This should help ensure the integrity of the task's credentials and shouldn't be noticeable to normal users or applications.

  • A number of improvements were made to the MDP (Make Dummy Policy) tool which is included in the kernel source tree. While the MDP generated SELinux policy remains more of a demonstration policy rather than a useful, minimal policy; this work brings the MDP policy up to date such that it should be able to work on a modern SELinux system. Those wishing to play with the MDP policy should be sure to boot their system in permissive mode first to verify that everything works as expected. Unfortunately I mistakenly attributed these changes to Linux v5.1, including them in the v5.1 highlights, but they didn't ship until Linux v5.2.

  • Fix a problem where connect(AF_UNSPEC) on TCP sockets was broken and returning EAFNOSUPPORT instead of disconnecting the socket. This was broken back in Linux v4.17 by commit 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure") but unfortunately the breakage wasn't noticed until recently.

  • Fix a number of smaller bugs and compiler warnings found by clang, KASAN, and KMSAN.

Audit

  • Enable auditing of changes to the system time either via the clock management syscalls or through changes to the kernel's NTP parameters. Changes to the clock via management syscalls will generate a new TIME_INJOFFSET record that looks like the following:

    type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145
    Changes to the NTP parameters will generate a new TIME_ADJNTPVAL record that contains an "op" field indicating the parameter being adjusted, as well as "old" and "new" fields indicating the values of the changed parameter. An example of a TIME_ADJNTPVAL record can be seen below:
    type=TIME_ADJNTPVAL msg=audit(1530616044.507:7): op=status old=64 new=8256

  • We continue to associate standalone audit records with other related records. In this release we associate the LOGIN record with other related records into a single audit event.

  • A number of internal kernel changes to enable the PTRACE_GET_SYSCALL_INFO work. While not strictly audit related, these changes do get us closer to enabling syscall auditing for all of the supported Linux hardware platforms.

  • Fix potential memory leaks related to logging kernel module loads and the filesystem watches.

  • Fix some minor warnings found by the sparse tool.

Linux 5.1 Released

Linux v5.1 was released on Sunday, May 5th, 2019. Below are the SELinux and audit highlights for the release:

SELinux

  • If SELinux is asked to perform an access control check on a file with an invalid SELinux label, the invalid label is now recorded in the SELinux AVC audit record using the "trawcon" field. An example is shown below:

    type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149
    comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608
    scontext=system_u:system_r:sshd_t:s0
    tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
    permissive=1
    trawcon=system_u:object_r:banana_t:s0

  • Support was added for proper labeling of kernfs based filesystems. This is of particular interest to those running containers as the cgroup2 filesystem is based on kernfs.

  • A number of changes throughout the SELinux code to support the newly added LSM stacking code. While this is a rather significant change to the LSM layer, it should have little effect on existing systems as long as the administrator does not enable the LSM stacking functionality.

  • The constant sized flex_array structures were converted to use vmalloc allocated memory. Since these were constant sized arrays the flex_array mechanism only added unnecessary complexity.

  • The SELinux VFS code was updated to use the new internal kernel mounting API. This should have no visible impact to users, administrators, or policy developers.

  • Fix a problem with labeled NFS where mounting a NFS filesystem twice would result in disabling support for the SELinux labels.

  • Fix a problem where SELinux file access control denials might not have been logged when in permissive mode.

  • A few smaller bug fixes not worth mentioning here, but which are still visible in the git log for those who are interested.

Audit

  • The CONFIG_CHANGE records are now associated with other relevant records into a single audit event. Prior to this change the CONFIG_CHANGE records were always standalone records in their own audit event.

  • An "op" field was added to the "lock" and "set" CONFIG_CHANGE records. This should help provide some needed context for the audit event.

  • The filesystem type filter was expanded and now applies to all of the inode auditing code.

  • File capabilities are no longer recorded when unmounting a filesystem. This prevents a potential hang when unmounting a filesystem and due to the nature of the unmount operation, this should have little practical impact on the data recorded in the audit log.

  • Added support for file capabilities version 3.

UPDATE: Moved the MDP improvements to Linux v5.2, they were mistakenly included in the Linux v5.1 notes.

Experimental Rawhide Kernels Part 2

Back in 2015 I started building Fedora Rawhide kernel packages with the SELinux and audit linux-next patches applied and making them available via a Fedora COPR repository. I did this both to try and make the SELinux and audit development work more accessible to people not familiar with patching and building kernels, as well as to help enable regular, automated testing of these development patches before they made their way into Linus' tree. I spoke about this in more detail during a 2016 Flock presentation on Testing Bleeding Edge Kernels.

Now, almost four years after building the first of these kernels, I've reached a point where the entire process from generating a patched kernel SRPM, to testing the resulting kernel build is fully automated. Occasionally the system does require intervention to resolve patch merge conflicts, but those are surprisingly infrequent, and something that only needs to be dealt with once for each conflict. At some point in the future I'll write up how everything works, but the plumbing is still a bit crude at the moment and I'd like to clean it up first. In the meantime you can look at my copr-pkg_scipts repository on GitHub, those scripts are the "smarts" for generating the patches from the development trees and creating the patched kernel SRPMs.

With everything in place, and working well for a few months, I want to make the results (both the kernel builds and the test results) available to a wider audience. However, as these are "bleeding edge" development kernel builds, I feel it is important to stress that these kernels are use-at-your-own-risk; they may be awesome, but they also may blow up in spectacular fashion and take your filesystem with it - be warned.

Kernel "secnext" Test Results

Those of you who wish to see the Fedora Rawhide kernel patches, the build notifications, and the test results, can find them on the kernel-secnext Google group:

The test system is a Fedora Rawhide VM that is fully updated prior to running the selinux-testsuite and audit-testsuite. Mellanox has kindly provided some InfiniBand hardware so that the SELinux InfiniBand tests can be run as well.

Kernel "secnext" Builds

Unfortunately, the Fedora COPR build system has been growing increasingly problematic for kernel builds over the past several years. Build times have been increasing to the point where eight hour builds are not uncommon, and the build chroot often breaks when Fedora Rawhide moves to the next release. While I really like the idea of COPR, I feel the reality of the Fedora COPR implementation is a disappointment for kernel builders. Because of this, in addition to the COPR builds, I've started building the kernel packages myself, you can find links to my YUM/DNF repository below. At the moment the repository has both x86_64 and aarch64 kernel packages, as well as the SRPMs. For those who prefer COPR, I will keep submitting the COPR builds, but I'm unlikely to spend any time resolving COPR specific build breakages.