Linux 5.10 Released15 Dec 2020 tags: audit selinux
Linux v5.10 was released on Sunday, December 13th, 2020; the SELinux and audit highlights are below:
A number of changes to how the SELinux policy is loaded and managed inside the kernel with the goal of improving the atomicity of the SELinux policy load operation as well as overall policy lookup performance. Work included better encapsulation of the policy state, improvements to the policy locking, and refactoring both the policy boolean updates and selinuxfs. This was a significant effort spread across multiple patches and multiple developers; a special thanks to everyone who was involved in the development and testing of these changes.
- A tracepoint was added for audited SELinux access control events. These changes should help provide a more unified backtrace across the kernel and userspace when examining SELinux access control denials. The author of the changes, Thiébaud Weksteen, explains the basic functionality:
It is possible to use perf for monitoring the event:
# perf record -e avc:selinux_audited -g -a ^C # perf report -g [...] 6.40% 6.40% audited=800000 tclass=4 | __libc_start_main | |--4.60%--__GI___ioctl | entry_SYSCALL_64 | do_syscall_64 | __x64_sys_ioctl | ksys_ioctl | binder_ioctl | binder_set_nice | can_nice | capable | security_capable | cred_has_capability.isra.0 | slow_avc_audit | common_lsm_audit | avc_audit_post_callback | avc_audit_post_callback |
It is also possible to use the ftrace interface:
# echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable # cat /sys/kernel/debug/tracing/trace tracer: nop entries-in-buffer/entries-written: 1/1 #P:8 [...] dmesg-3624  13072.325358: selinux_denied: audited=800000 tclass=4
The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class.
- Thiébaud also later added additional attributes and basic filtering support to the new SELinux tracepoints:
This patch adds further attributes to the event. These attributes are helpful to understand the context of the message and can be used to filter the events.
There are three common items. Source context, target context and tclass. There are also items from the outcome of operation performed.
An event is similar to:
<...>-1309  .... 6346.691689: selinux_audited: requested=0x4000000 denied=0x4000000 audited=0x4000000 result=-13 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
With systems where many denials are occurring, it is useful to apply a filter. The filtering is a set of logic that is inserted with the filter file. Example:
echo "tclass==\"file\" " > events/avc/selinux_audited/filter
This adds that we only get tclass=file.
The trace can also have extra properties. Adding the user stack can be done with
echo 1 > options/userstacktrace
Now the output will be:
runcon-1365  .... 6960.955530: selinux_audited: requested=0x4000000 denied=0x4000000 audited=0x4000000 result=-13 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file runcon-1365  .... 6960.955560: <user stack trace> => <00007f325b4ce45b> => <00005607093efa57>
It is now possible to remove the SELinux label from a file when there is no policy loaded by removing the “security.selinux” extended attribute from the file.
The “scripts/selinux/mdp” tool in the kernel source tree now generates SELinux policies with policy capabilities enabled.
Fix the SELinux/InfiniBand PKEY object cache error handling code to properly return an error code on failure.
- Provide a “no sooner” date of June 2021 for the SELinux checkreqprot sysfs deprecation the was first declared in the Linux v5.7 release.
- A small number of trivial fixes, e.g. changing global variables to static declarations, that don’t have any noticeable impact on audit functionality or behavior.