Linux 4.11 Released

Linux v4.11 was released this past weekend on Sunday, April 30th; this is a quick summary of the SELinux and audit changes.

SELinux

• A number of new SELinux object classes were added to support all of the known network socket address families, and code was introduced to make it easier for kernel developers to keep the SELinux subsystem in sync with the address family definitions. These new object classes provide policy developers a greater level of access control granularity by allowing them to write policy which targets specific protocols. In order to make use of these new object classes the SELinux policy must enable the “extended_socket_class” policy capability.

• Add SELinux labeling support to the cgroup and cgroup2 pseudo filesystems. This should allow better control over applications, such as containers, which need to manage only certain portions of the system’s cgroup configuration. In order to make use of this new functionality the SELinux policy must enable the “cgroup_seclabel” policy capability.

• Add SELinux labeling support to TraceFS. This is required for Android compatibility on Linux v4.1 and above (TraceFS was introduced in Linux v4.1).

• Allow SELinux context mounts of tmpfs, ramfs, and devpts in non-init user namespaces. This is required by many container runtimes such as Docker/runc/etc.

• Change the kernel behavior so that SELinux policy booleans which are not labeled by the loaded policy are assigned the security initial SID label, previously the boolean was left unlabeled and any access was denied.

• Additional error messages were added to the SELinux policy loading code so that policy load failures could be more easily diagnosed by administrators.

• Remove the security_task_wait() LSM hook and the SELinux implementation. It turned out that this access control was more trouble than it was worth; risking soft lockups and zombie processes without any real security advantage.

• Internal cleanups relating to how credentials were used in the SELinux subsystem. While this is a nice cleanup and simplification inside the kernel, there should be no user visible changes.

• Internal shuffling of the process restrictions affecting /proc/<pid>/attr from the individual LSMs (including SELinux) to the proc subsystem. This helps eliminate code redundancy and ensures proper behavior across LSMs.

• The SELinux LSM hooks are now marked as read-only after the system boots. This should help prevent malicious code from tampering with the LSM hooks.

Audit

• Add the ability to reset the lost record counter. See the GitHub feature page for more information.

• Log the name of the kernel module, via a new KERN_MODULE record, when the module is loaded into the kernel. See the GitHub feature page for more information.

• Fixed a problem where the SOCKETCALL record was not generated for 32-bit syscalls on a 64-bit system. See the GitHub issue for more information.

• Fix the kernel’s audit daemon state tracking code. There were a number of issues relating to how the daemon’s connection was tracked including locking problems and some synchronization oddities with network namespaces. The code in Linux v4.11 helps resolve these problems and also adds some additional improvements to the audit backlog queue handling in the kernel. It is worth noting that some users may still experience some lock issues with Linux v4.11 when the audit daemon first starts; this has been fixed in Linus’ tree with commit 48d0e023af97 (“audit: fix the RCU locking for the auditd_connection structure”) and should be part of the next Linux v4.11 stable release.

• Adjust the KERNEL and ANOM_ABEND audit records so they are more consistent with the other audit records.