Linux 4.10 Released

Linux v4.10 was released this past weekend on Sunday, February 19th; this is a quick summary of the SELinux and audit changes.

SELinux

• Fix a GFS2/SELinux deadlock where one task is initializing an inode while another task is invalidating the SELinux label on the same inode. The fix involved changing the SELinux inode_security_struct lock from a mutex to a spinlock and introducing a new SELinux label state, “PENDING”. These two changes allow SELinux to mark a pending inode initialization and detect if the inode’s label was invalidated during the initialization process.

• Add a build time check to catch the addition of new capabilities and force an update to the associated SELinux code. The simple fix was to compare the CAP_LAST_CAP sentinel value with the last known defined capability and cause a compilation failure, via the “#error” compiler directive, when there is a mismatch.

• Normalize input to /sys/fs/selinux/enforce so that the stored value is only ever 1 (true) or 0 (false). This change should have no impact to the kernel, it only checks for non-zero (true) or 0 (false), but some userspace tools check for a value of 1 instead of a non-zero true value.

• Fix a problem where clearing /proc/self/attr/fscreate could result in an unwanted kernel memory access (CVE-2017-2618).

• A number of minor improvements and cleanups to the SELinux inode handling.

Audit

• Major rework of the audit backlog queue which moves the audit multicast writes from the thread of the task which generates the event to a separate kernel thread, much like we do for the audit unicast/auditd messages. Moving the multicast writes had a ripple effect on the entire audit queuing mechanism which brought about a number of improvements which should reduce the per-task audit overhead when audit is enabled, and help make audit more robust under heavy load.

• Add kernel support for audit filtering based on the session ID. See the GitHub feature page for more information.

• Fix audit’s use of fsnotify to prevent sleeping on a spinlock. The fix involved making sure that the proper lock ordering was followed, meaning that we took the fsnotify_group’s mutex before taking the fsnotify_mark’s spinlock.

• Fix a problem where audit was needlessly duplicating fsnotify_mark structures and leaking a reference to the associated fsnotify group.

• Fix a problem where the kernel wasn’t properly holding a reference for the auditd communication socket which could result in a race condition when resetting the connection with auditd.

• Ensure consistent logging of the CONFIG_CHANGE audit record. The record’s “op” field is not encoded so the value should not be surrounded with double quotes.