Linux 6.13 Merge Window

19 Dec 2024 tags: audit lsm selinux

This post is a bit later than normal, my apologies for that, but Linux v6.12 was released on Sunday, November 17th with the Linux v6.13 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and Audit pull requests which have been merged into Linus’ tree.

LSM

• Start the process of moving away from the existing secid integer LSM identifier in the kernel towards a richer lsm_prop structure. This change will enable us to remove some of the translation steps that are necessary in many LSMs when interacting with the rest of the Linux kernel, and should make is easier to support different LSMs in the future.

• Decouple the fsnotify subsystem from the LSM, allowing the two subsystems to be selected independently from one another when building the Linux kernel.

SELinux

• In Linux v4.3 we introduced the concept of “extended permissions” to enable SELinux to enforce access controls on individual ioctl(2) commands. Starting in Linux v6.13 administrators will now also be able to use the extended permission functionality to enforce access controls on individual netlink(7) messages. Thiébaud Weksteen, the patch’s author, provides some additional information and examples in the commit description:

  Reuse the existing extended permissions infrastructure to support policies based on the netlink message types.

  A new policy capability “netlink_xperm” is introduced. When disabled, the previous behaviour is preserved. That is, netlink_send will rely on the permission mappings defined in nlmsgtab.c (e.g, nlmsg_read for RTM_GETADDR on NETLINK_ROUTE). When enabled, the mappings are ignored and the generic “nlmsg” permission is used instead.

  The new “nlmsg” permission is an extended permission. The 16 bits of the extended permission are mapped to the nlmsg_type field.

  Example policy on Android, preventing regular apps from accessing the device’s MAC address and ARP table, but allowing this access to privileged apps, looks as follows:

  allow netdomain self:netlink_route_socket {
  create read getattr write setattr lock append connect getopt
  setopt shutdown nlmsg
  };
  allowxperm netdomain self:netlink_route_socket nlmsg ~{
  RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
  };
  allowxperm priv_app self:netlink_route_socket nlmsg {
  RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
  };
  

  The constants in the example above (e.g., RTM_GETLINK) are explicitly defined in the policy.

  It is possible to generate policies to support kernels that may or may not have the capability enabled by generating a rule for each scenario. For instance:

  allow domain self:netlink_audit_socket nlmsg_read;
  allow domain self:netlink_audit_socket nlmsg;
  allowxperm domain self:netlink_audit_socket nlmsg { AUDIT_GET };
  

  The approach of defining a new permission (“nlmsg”) instead of relying on the existing permissions (e.g., “nlmsg_read”, “nlmsg_readpriv” or “nlmsg_tty_audit”) has been preferred because:

  1. This is similar to the other extended permission (“ioctl”);
  2. With the new extended permission, the coarse-grained mapping is not necessary anymore. It could eventually be removed, which would be impossible if the extended permission was defined below these.
  3. Having a single extra extended permission considerably simplifies the implementation here and in libselinux.

• The “/sys/fs/selinux/user” interface has been marked as deprecated in the kernel. The deprecation notice provides some additional information:

  The selinuxfs “user” node allows userspace to request a list of security contexts that can be reached for a given SELinux user from a given starting context. This was used by libselinux when various login-style programs requested contexts for users, but libselinux stopped using it in 2020. Kernel support will be removed no sooner than Dec 2025.

• Cleaned the SELinux build scripts and tooling. We relocated the “genheaders” tool to the “security/selinux” directory and corrected our usage of kernel headers to make it easier to build the Linux kernel on different systems.

Audit

• Minor cleanups involving corrections to the kdoc function parameters and increased usage of the str_yes_no() kernel helper function.