Linux 4.12 Released

Linux v4.12 was released this past weekend on Sunday, July 2nd; this is a quick summary of the SELinux and audit changes.

SELinux

• A new SELinux access control check was added for prlimit(2). This new access control is intended to allow SELinux policy developers the ability to control when one process attempts to read or modify another process’ resource limits using the “process:{ setrlimit getrlimit }” permissions. SELinux does not restrict a process from manipulating its own resource limits via prlimit(2).

• Reorder the CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH capability checks in the internal “generic_permission()” function so that CAP_DAC_OVERRIDE is checked after CAP_DAC_READ_SEARCH. This ensures that CAP_DAC_OVERRIDE is only checked for operations where it is required.

• Constify the kernel’s internal netlink message permission mapping tables to help prevent unwanted tampering.

• Cleanup the kernel’s internal network address handling in the SELinux bind(2) hook by ensuring that the address length is correct for the address family.

• Multiple kernel internal cleanups and simplifications.

Audit

• Log the name of the kernel module, via the KERN_MODULE record, when the module is removed from the kernel. See the GitHub feature page for more information.

• Simplify and normalize the NETFILTER_PKT record to make it easier to parse in userspace and to enable future enhancement if needed. The new record includes the netfilter mark, via “mark”, the source address, via “saddr”, the destination address, via “daddr”, and the upper layer protocol, via “proto”.

• Replace the audit subsystem’s audit_buffer management mechanism with the standard kmem_cache mechanism. This simplifies the kernel’s audit code and should provide for better runtime memory management.

• Convert a number of atomic_t reference counters to refcount_t. This change should help guard against reference count overflows in the audit subsystem.

• Convert the audit subsystem in the kernel to use 64-bit timestamps. This should make the audit subsystem year 2038 safe.

• Convert the kernel’s auditd PID tracking to use the pid struct and not the pid_t scalar type.

• All audit netlink messages sent by the kernel now use a netlink port ID value of zero. This brings audit inline with the netlink specification.

• Fix some problems with the RCU locking relating to auditd connection tracking. With any luck this should be the last of the auditd connection tracking fixes for a while.