Linux 5.2 Released

This post is a bit later than usual due to vacation, but Linux v5.2 was released on Sunday, July 7, 2019. The SELinux and audit highlights are below:

SELinux

• Add proper per-file SELinux support for kernfs based filesystems such as cgroupfs. This is particularly interesting for container orchestrators that want to make use of cgroups with greater levels of SELinux access control granularity.

• Change how we record raw SELinux labels in the audit log. Starting with Linux v5.1 when we encounter an invalid SELinux label we record the label using the “trawcon” field in the audit log, beginning in Linux v5.2 we treat these raw labels as untrusted and hex encode them.

• A change was made to disallow changing the LSM credentials via /proc/self/attr when the task’s credentials are overridden. This should help ensure the integrity of the task’s credentials and shouldn’t be noticeable to normal users or applications.

• A number of improvements were made to the MDP (Make Dummy Policy) tool which is included in the kernel source tree. While the MDP generated SELinux policy remains more of a demonstration policy rather than a useful, minimal policy; this work brings the MDP policy up to date such that it should be able to work on a modern SELinux system. Those wishing to play with the MDP policy should be sure to boot their system in permissive mode first to verify that everything works as expected. Unfortunately I mistakenly attributed these changes to Linux v5.1, including them in the v5.1 highlights, but they didn’t ship until Linux v5.2.

• Fix a problem where connect(AF_UNSPEC) on TCP sockets was broken and returning EAFNOSUPPORT instead of disconnecting the socket. This was broken back in Linux v4.17 by commit 68741a8adab9 (“selinux: Fix ltp test connect-syscall failure”) but unfortunately the breakage wasn’t noticed until recently.

• Fix a number of smaller bugs and compiler warnings found by clang, KASAN, and KMSAN.

Audit

• Enable auditing of changes to the system time either via the clock management syscalls or through changes to the kernel’s NTP parameters. Changes to the clock via management syscalls will generate a new TIME_INJOFFSET record that looks like the following:

  type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145
  

  Changes to the NTP parameters will generate a new TIME_ADJNTPVAL record that contains an “op” field indicating the parameter being adjusted, as well as “old” and “new” fields indicating the values of the changed parameter. An example of a TIME_ADJNTPVAL record can be seen below:

  type=TIME_ADJNTPVAL msg=audit(1530616044.507:7): op=status old=64 new=8256
  

• We continue to associate standalone audit records with other related records. In this release we associate the LOGIN record with other related records into a single audit event.

• A number of internal kernel changes to enable the PTRACE_GET_SYSCALL_INFO work. While not strictly audit related, these changes do get us closer to enabling syscall auditing for all of the supported Linux hardware platforms.

• Fix potential memory leaks related to logging kernel module loads and the filesystem watches.

• Fix some minor warnings found by the sparse tool.