In Linux v5.13 we fixed a problem where the LSM hooks were not properly differentiating between the subjective and objective LSM credentials. Unfortunately that fix was not correct in a number of areas, especially when referencing credentials of a task other than the one currently executing. We’ve fixed this in v5.15 and the patch should find it’s way into the currently supported upstream stable trees (I believe the patch has already been backported at the time of writing).

Support was added, via the “mctp_socket” object class, for the Management Component Transport Protocol (MCTP).

A small improvement was made for SELinux operations on systems when audit is not enabled.

Fixed a problem where the AUDIT_TRIM command, e.g. auditctl -t, could result in a file watch reference counting problem which could result in a kernel error due to a use-after-free condition. As the AUDIT_TRIM command typically requires elevated privileges, the risk of malicious unprivileged users triggering this bug is low.

Fixed a potential NULL pointer dereference when performing the in-kernel audit filtering.

Remove some limitations in the inode permission check code so that the kernel can update the SELinux Access Vector Cache (AVC) even in cases where it is not allowed to block the caller. This should result in less slow-path permission lookups and better use of the SELinux AVC.

Fixed a problem where an invalid initial SID did not correctly return an error to userspace when a policy was loaded into the kernel.

Memory allocation failures when updating the SELinux AVC no longer generate kernel warnings when the kernel is configured to generate failed allocation warnings. These failures are not fatal in any way, the AVC is a cache after all, but on some memory constrained systems the warnings can quickly fill the logs in certain configurations.

Minor improvements to the InfiniBand and policy DB string handling code which should result in better code quality and performance.

Minor code cleanups involving unused function parameters, kernel documentation fixes, and removal of redundant code.

Rename the enumerated type values used to indicate the audit state as the existing values collided with other names in the kernel.

Various minor style fixes to the audit code to better fit with existing kernel coding conventions.

SELinux stores the configuration state and the policy capabilities in kernel memory. Changes to this data at runtime would have an impact on the security guarantees provided by SELinux. Measuring this data through IMA subsystem provides a tamper-resistant way for an attestation service to remotely validate it at runtime.

Measure the configuration state and policy capabilities by calling the IMA hook ima_measure_critical_data().

To enable SELinux data measurement, the following steps are required:

1. Add “ima_policy=critical_data” to the kernel command line arguments to enable measuring SELinux data at boot time. For example:

   BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data
   

2. Add the following rule to /etc/ima/ima-policy

   measure func=CRITICAL_DATA label=selinux
   

Sample measurement of SELinux state and policy capabilities:

10 2122...65d8 ima-buf sha256:13c2...1292 selinux-state 696e...303b

Execute the following command to extract the measured data from the IMA’s runtime measurements list:

grep "selinux-state" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6 | xxd -r -p

The output should be a list of key-value pairs. For example:

initialized=1;enforcing=0;checkreqprot=1;network_peer_controls=1;open_perms=1;extended_socket_class=1;always_check_network=0;cgroup_seclabel=1;nnp_nosuid_transition=1;genfs_seclabel_symlinks=0;

To verify the measurement is consistent with the current SELinux state reported on the system, compare the integer values in the following files with those set in the IMA measurement (using the following commands):

cat /sys/fs/selinux/enforce
cat /sys/fs/selinux/checkreqprot
cat /sys/fs/selinux/policy_capabilities/[capability_file]

Note that the actual verification would be against an expected state and done on a separate system (likely an attestation server) requiring

initialized=1;enforcing=1;checkreqprot=0;

for a secure state and then whatever policy capabilities are actually set in the expected policy (which can be extracted from the policy itself via seinfo, for example).

Previously, with selinux enabled, NFS wasn’t able to do the following 2 mounts:

mount -o vers=4.2,sec=sys,context=system_u:object_r:root_t:s0 <serverip>:/ /mnt
mount -o vers=4.2,sec=sys,context=system_u:object_r:swapfile_t:s0 <serverip>:/scratch /scratch

2nd mount would fail with “mount.nfs: an incorrect mount option was specified” and /var/log/messages would have: “SElinux: mount invalid. Same superblock, different security settings for..”

Fix a problem where the LSM hooks did not properly differentiate between the subjective and objective LSM credentials. The existing “security_task_getsecid()” LSM hook provides the task’s objective LSM credentials despite many callers expecting the subjective LSM credentials. The solution is to split the existing LSM hook into two new hooks, one for each credential type, and adjust the callers as appropriate. The new LSM hooks are named “security_task_getsecid_subj()” and “security_task_getsecid_obj()”; the “security_task_getsecid()” hook has been removed.

Fix a problem preventing overlayfs context mounts in an unprivileged namespace.

Fix a problem where we were not properly terminating the kernel internal permission list for two SELinux object classes, “bpf” and “perf_event”.

Remove some unused code related to the audit syscall entry filters which were removed in Linux v4.17, over three years ago.

Fix some compiler warnings when audit is disabled at kernel build time.

Minor kernel documentation updates regarding the audit related files in procfs.