Linux 5.12 Released

Linux v5.12 was released on Sunday, April 25th. While it was another relatively quiet release for audit, SELinux had a number of changes; the highlights are below:

SELinux

  • Support was added for controlling anonymous inodes with SELinux. In order to make use of these new controls the various kernel subsystems need to opt-in to SELinux policy enforcement by using a different anonymous inode kernel API; the first user of this new API is userfaultfd. The authors of the work, Daniel Colascione and Lokesh Gidra, provide a simple explantion of how to use the new userfaultfd controls under SELinux:

    A SELinux policy author detects and controls these anonymous inodes by adding a name-based type_transition rule that assigns a new security type to anonymous-inode files created in some domain. The name used for the name-based transition is the name associated with the anonymous inode for file listings — e.g., “[userfaultfd]” or “[perf_event]”.

    Example:

    type uffd_t;
    type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]";
    allow sysadm_t uffd_t:anon_inode { create };
    
  • Filesystems can now be configured to use both xattr and genfs file labeling support in the SELinux policy and the kernel will fallback to genfs if the filesystem does not support xattr labeling. While this may not be very useful for traditional filesystem such as ext4, it is helpful for filesystems such as virtiofs where the filesystem capabilities can vary depending on the backing filesystem.

  • IMA can now measure the loaded SELinux policy. Lakshmi Ramasubramanian explains why this is important and how to make use of this new capability in the commit description:

    SELinux stores the active policy in memory, so the changes to this data at runtime would have an impact on the security guarantees provided by SELinux. Measuring in-memory SELinux policy through IMA subsystem provides a secure way for the attestation service to remotely validate the policy contents at runtime.

    Measure the hash of the loaded policy by calling the IMA hook ima_measure_critical_data(). Since the size of the loaded policy can be large (several MB), measure the hash of the policy instead of the entire policy to avoid bloating the IMA log entry.

    To enable SELinux data measurement, the following steps are required:

    1, Add “ima_policy=critical_data” to the kernel command line arguments to enable measuring SELinux data at boot time. For example,

    BOOT_IMAGE=/boot/vmlinuz-5.10.0-rc1+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data
    

    2, Add the following rule to /etc/ima/ima-policy measure func=CRITICAL_DATA label=selinux

    Sample measurement of the hash of SELinux policy:

    To verify the measured data with the current SELinux policy run the following commands and verify the output hash values match.

    sha256sum /sys/fs/selinux/policy | cut -d' ' -f 1
    
    grep "selinux-policy-hash" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6
    

    Note that the actual verification of SELinux policy would require loading the expected policy into an identical kernel on a pristine/known-safe system and run the sha256sum /sys/kernel/selinux/policy there to get the expected hash.

  • SELinux now properly classifies MPTCP sockets the same as TCP sockets.

  • A problem with overlayfs was fixed that impacted systems where SELinux was enabled but a policy had not yet been loaded.

  • A potential use-after-free problem during SELinux policy reloading was fixed. While normally such bugs can be serious, loading a new SELinux policy is already a privileged operation so the risk should be low.

  • Potential problems relating to SELinux label conversion during policy reloading have been fixed.

  • Potential problems involving SELinux policy booleans incorrectly enabling or disabling SELinux policy have been fixed.

  • Some incorrect and inconsistent kernel messages generated when loading a SELinux policy were fixed.

  • A small number of unused variables were removed from the SELinux code, some private variable were correctly marked as static, and number of other variables were marked as “__ro_after_init” or “__read_mostly” as appropriate.

Audit

  • A few trivial changes to cleanup the code and correct some typos; there should be no noticable changes.

Linux 5.11 Released

Linux v5.11 was released on Sunday, February 14, 2021 (happy Valentine’s Day!). It was a relatively small release from a SELinux and audit perspective, but the highlights are below:

SELinux

  • Changed the LSM network hooks to pass “flowi_common” structs instead of the parent “flowi” struct; the LSMs do not currently need the full “flowi” struct and they do not have the address family information necessary to use it safely.

  • Fix how we handle errors in “inode_doinit_with_dentry()” so that we attempt to properly label the inode on following lookups instead of continuing to treat the inode as unlabeled.

  • Update the kernel logic around the SELinux “allowx”, “auditallowx”, and “dontauditx” policy statements such that “auditx” and “dontauditx” are effective even without the “allowx” statement.

  • A number of smaller changes to mark some LSM hook parameters as constant and fix a “switch” statement fall-through warning in Clang.

Audit

  • Linux v5.7 changed how audit records were generated such that mandatory audit records could trigger the creation of various accompanying records (e.g. SYSCALL records). Unfortunately, a number of problems were found and this change had to be reverted in Linux v5.8. With this kernel release we have fixed all of the outstanding problems and restored this behavior. This change should help provide additional context around various audit events, making it easier for administrators to understand what was actually happening on the system.

Linux 5.10 Released

Linux v5.10 was released on Sunday, December 13th, 2020; the SELinux and audit highlights are below:

SELinux

  • A number of changes to how the SELinux policy is loaded and managed inside the kernel with the goal of improving the atomicity of the SELinux policy load operation as well as overall policy lookup performance. Work included better encapsulation of the policy state, improvements to the policy locking, and refactoring both the policy boolean updates and selinuxfs. This was a significant effort spread across multiple patches and multiple developers; a special thanks to everyone who was involved in the development and testing of these changes.

  • A tracepoint was added for audited SELinux access control events. These changes should help provide a more unified backtrace across the kernel and userspace when examining SELinux access control denials. The author of the changes, Thiébaud Weksteen, explains the basic functionality:

    It is possible to use perf for monitoring the event:

    # perf record -e avc:selinux_audited -g -a
    ^C
    # perf report -g
    [...]
    	6.40%     6.40%  audited=800000 tclass=4
    		|
    		__libc_start_main
    		|
    		|--4.60%--__GI___ioctl
    		|          entry_SYSCALL_64
    		|          do_syscall_64
    		|          __x64_sys_ioctl
    		|          ksys_ioctl
    		|          binder_ioctl
    		|          binder_set_nice
    		|          can_nice
    		|          capable
    		|          security_capable
    		|          cred_has_capability.isra.0
    		|          slow_avc_audit
    		|          common_lsm_audit
    		|          avc_audit_post_callback
    		|          avc_audit_post_callback
    		|
    

    It is also possible to use the ftrace interface:

    # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable
    # cat /sys/kernel/debug/tracing/trace
    tracer: nop
    entries-in-buffer/entries-written: 1/1   #P:8
    [...]
    dmesg-3624  [001] 13072.325358: selinux_denied: audited=800000 tclass=4
    

    The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class.

  • Thiébaud also later added additional attributes and basic filtering support to the new SELinux tracepoints:

    This patch adds further attributes to the event. These attributes are helpful to understand the context of the message and can be used to filter the events.

    There are three common items. Source context, target context and tclass. There are also items from the outcome of operation performed.

    An event is similar to:

    	<...>-1309  [002] ....  6346.691689: selinux_audited:
    	requested=0x4000000 denied=0x4000000 audited=0x4000000
    	result=-13
    	scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
    	tcontext=system_u:object_r:bin_t:s0 tclass=file
    

    With systems where many denials are occurring, it is useful to apply a filter. The filtering is a set of logic that is inserted with the filter file. Example:

    echo "tclass==\"file\" " > events/avc/selinux_audited/filter
    

    This adds that we only get tclass=file.

    The trace can also have extra properties. Adding the user stack can be done with

    echo 1 > options/userstacktrace
    

    Now the output will be:

    	runcon-1365  [003] ....  6960.955530: selinux_audited:
    	requested=0x4000000 denied=0x4000000 audited=0x4000000
    	result=-13
    	scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
    	tcontext=system_u:object_r:bin_t:s0 tclass=file
    	runcon-1365  [003] ....  6960.955560: <user stack trace>
    =>  <00007f325b4ce45b>
    =>  <00005607093efa57>
    
  • It is now possible to remove the SELinux label from a file when there is no policy loaded by removing the “security.selinux” extended attribute from the file.

  • The “scripts/selinux/mdp” tool in the kernel source tree now generates SELinux policies with policy capabilities enabled.

  • Fix the SELinux/InfiniBand PKEY object cache error handling code to properly return an error code on failure.

  • Provide a “no sooner” date of June 2021 for the SELinux checkreqprot sysfs deprecation the was first declared in the Linux v5.7 release.

Audit

  • A small number of trivial fixes, e.g. changing global variables to static declarations, that don’t have any noticeable impact on audit functionality or behavior.