Linux 5.8 Released

04 Aug 2020 tags: audit selinux

Linux v5.8 was released on Sunday, August 2, 2020; the SELinux and audit highlights are below:

Added support for a new SELinux policy version, version 33, which allows for a more space efficient way of storing the filename transitions in the binary policy. Given the default Fedora SELinux policy with the unconfined module enabled, this change drops the policy size from ~7.6MB to ~3.3MB, with policy load times dropping as well.
A number of improvements to various SELinux internal kernel data structures to help improve performance and simplify the code. The role transitions moved into a hash table, and we shifted from hashing the rendered SELinux label string to the content structure itself, when it is valid.
Support was added for the new CAP_PERFMON and CAP_BPF capabilities in the “capability2” object class.
Several bug fixes found by the Clang Static analyzer which resolve potential double-free conditions and undefined return values.
Some fixes to the error handling code in the policy parser to properly return error codes when things go wrong.
Internal changes to the the LSM hook responsible for ensuring that the LSM credentials are set correctly for processes when they are executed.
Changes to the LSM/SELinux hooks for the kernel keyring.

Binding and unbinding to the audit multicast socket now generates audit records. This is intended to help administrators identify which processes have, or had, access to the information in the audit record stream.
Some of the audit error handling was improved to remove the potential for leaking network namespace references in the kernel.
The netfilter configuration records were cleaned and additional information was added to the records.
Sadly the commit which helped enable better support for accompanying records which was merged for the Linux v5.7 release needed to be reverted due to problems with the implementation. I expect this to come back at a later date once the code is improved.

Paul Moore