Linux 5.3 Released
19 Sep 2019 tags: audit selinuxLinux v5.3 was released on Sunday, September 15, 2019, the SELinux and audit highlights are below:
SELinux
-
Allow zero-byte writes to the “keycreate” procfs attribute without requiring the “key:create” permission. This should make it easier for applications to reset the keycreate label.
-
Consistently log the “invalid_context” field in the SELINUX_ERR audit records as an untrusted string. This should result in better, more uniform audit logs.
-
Add support for the netlink RTM_NEWNEXTHOP, RTM_DELNEXTHOP, and RTM_GETNEXTHOP messages which are part of the network stack’s “nexthop” API.
-
The selinuxfs filesystem, commonly mounted on “/sys/fs/selinux”, was converted to use the new kernel mount API. This should not have any effect on userspace.
-
Explicitly use little-endian variables in some SELinux kernel functions to make it easier for the “sparse” tool to verify proper endian handling in the code.
-
Remove some BUG_ON()s that are no longer needed. This should have little to no effect, but it removes some dead code and potentially makes the kernel more robust in the face of error conditions (the error handlers are used instead of calling BUG_ON()).
Audit
-
When the audit daemon is sent a signal, ensure we deliver information about the signal sender even when syscall auditing is not supported and/or enabled (CONFIG_AUDIT_SYSCALL).
-
Add the ability to filter audit records based on network address family. This should be available via the “saddr_fam” filter field in the auditctl tool.
-
Cleanup and tighten the audit field filtering restrictions on string based fields. This should have little impact on applications or audit configurations as the changes should only effect filters that made little to no sense for string based fields.
-
Similar to the SELinux changes, remove some BUG_ON()s from the audit kernel code to eliminate dead code and improve the quality of the kernel.