Linux 5.7 Released

Linux v5.7 was released on Sunday, May 31, 2020; the SELinux and audit highlights are below:

SELinux

• Deprecate setting “/sys/fs/selinux/checkreqprot” to 1. This flag was originally created to deal with legacy userspace and the READ_IMPLIES_EXEC personality flag. We changed the default from 1 to 0 back in Linux v4.4 and now we are taking the next step of deprecating it, at some point in the future we will take the final step of rejecting 1.

• Allow kernfs symlinks to inherit the SELinux label of the parent directory. In order to preserve backwards compatibility this is protected by the “genfs_seclabel_symlinks” SELinux policy capability.

• Fix a problem where we were not properly handling multiple netlink messages in a single message buffer. Unfortunately this could cause some netlink messages to escape the SELinux access controls. This issue was assigned the CVE number CVE-2020-10751.

• Enable per-file labeling for the BPF filesystem.

• Improve how we handle initial SIDs in the kernel and remove a number that were unused.

• Optimize how we store filename transitions in the kernel, resulting in some significant improvements to policy load times.

• We now do a better job calculating the sizes of the internal hash tables, which improved SELinux policy load times and likely general SELinux performance as well.

• Ensure that we properly label NFS v4.2 filesystems to avoid a temporary unlabeled condition.

• Add some missing XFS quota command types to the SELinux quota access controls.

• Fix a problem where we were not properly handling all read operations in selinuxfs.

• Convert several linked lists to arrays to help with performance and improve code simplicity.

Audit

• Stop logging inode information when updating an audit file watch. Since we are not changing the inode, or the fact that we are watching the associated file, the inode information is just noise that we can do without.

• Fix a problem where mandatory audit records were missing their accompanying audit records (e.g. SYSCALL records were missing). The missing records often meant that we didn’t have the necessary context to understand what was going on when the event occurred. [UPDATE August 4, 2020: this patch was reverted during the Linux v5.8-rcX phase due to problems, it should reappear at a later date]

• Fix a problem where we were not properly checking the length of audit records generated by userspace programs allowed to submit audit records due to the CAP_AUDIT_WRITE capability.