Linux v5.3 was released on Sunday, September 15, 2019, the SELinux and audit highlights are below:
Allow zero-byte writes to the “keycreate” procfs attribute without requiring the “key:create” permission. This should make it easier for applications to reset the keycreate label.
Consistently log the “invalid_context” field in the SELINUX_ERR audit records as an untrusted string. This should result in better, more uniform audit logs.
Add support for the netlink RTM_NEWNEXTHOP, RTM_DELNEXTHOP, and RTM_GETNEXTHOP messages which are part of the network stack’s “nexthop” API.
The selinuxfs filesystem, commonly mounted on “/sys/fs/selinux”, was converted to use the new kernel mount API. This should not have any effect on userspace.
Explicitly use little-endian variables in some SELinux kernel functions to make it easier for the “sparse” tool to verify proper endian handling in the code.
Remove some BUG_ON()s that are no longer needed. This should have little to no effect, but it removes some dead code and potentially makes the kernel more robust in the face of error conditions (the error handlers are used instead of calling BUG_ON()).
When the audit daemon is sent a signal, ensure we deliver information about the signal sender even when syscall auditing is not supported and/or enabled (CONFIG_AUDIT_SYSCALL).
Add the ability to filter audit records based on network address family. This should be available via the “saddr_fam” filter field in the auditctl tool.
Cleanup and tighten the audit field filtering restrictions on string based fields. This should have little impact on applications or audit configurations as the changes should only effect filters that made little to no sense for string based fields.
Similar to the SELinux changes, remove some BUG_ON()s from the audit kernel code to eliminate dead code and improve the quality of the kernel.
This post is a bit later than usual due to vacation, but Linux v5.2 was released on Sunday, July 7, 2019. The SELinux and audit highlights are below:
Add proper per-file SELinux support for kernfs based filesystems such as cgroupfs. This is particularly interesting for container orchestrators that want to make use of cgroups with greater levels of SELinux access control granularity.
Change how we record raw SELinux labels in the audit log. Starting with Linux v5.1 when we encounter an invalid SELinux label we record the label using the “trawcon” field in the audit log, beginning in Linux v5.2 we treat these raw labels as untrusted and hex encode them.
A change was made to disallow changing the LSM credentials via /proc/self/attr when the task’s credentials are overridden. This should help ensure the integrity of the task’s credentials and shouldn’t be noticeable to normal users or applications.
A number of improvements were made to the MDP (Make Dummy Policy) tool which is included in the kernel source tree. While the MDP generated SELinux policy remains more of a demonstration policy rather than a useful, minimal policy; this work brings the MDP policy up to date such that it should be able to work on a modern SELinux system. Those wishing to play with the MDP policy should be sure to boot their system in permissive mode first to verify that everything works as expected. Unfortunately I mistakenly attributed these changes to Linux v5.1, including them in the v5.1 highlights, but they didn’t ship until Linux v5.2.
Fix a problem where connect(AF_UNSPEC) on TCP sockets was broken and returning EAFNOSUPPORT instead of disconnecting the socket. This was broken back in Linux v4.17 by commit 68741a8adab9 (“selinux: Fix ltp test connect-syscall failure”) but unfortunately the breakage wasn’t noticed until recently.
Fix a number of smaller bugs and compiler warnings found by clang, KASAN, and KMSAN.
Enable auditing of changes to the system time either via the clock management syscalls or through changes to the kernel’s NTP parameters. Changes to the clock via management syscalls will generate a new TIME_INJOFFSET record that looks like the following:
Changes to the NTP parameters will generate a new TIME_ADJNTPVAL record that contains an “op” field indicating the parameter being adjusted, as well as “old” and “new” fields indicating the values of the changed parameter. An example of a TIME_ADJNTPVAL record can be seen below:
We continue to associate standalone audit records with other related records. In this release we associate the LOGIN record with other related records into a single audit event.
A number of internal kernel changes to enable the PTRACE_GET_SYSCALL_INFO work. While not strictly audit related, these changes do get us closer to enabling syscall auditing for all of the supported Linux hardware platforms.
Fix potential memory leaks related to logging kernel module loads and the filesystem watches.