Changed the LSM network hooks to pass “flowi_common” structs instead of the parent “flowi” struct; the LSMs do not currently need the full “flowi” struct and they do not have the address family information necessary to use it safely.

Fix how we handle errors in “inode_doinit_with_dentry()” so that we attempt to properly label the inode on following lookups instead of continuing to treat the inode as unlabeled.

Update the kernel logic around the SELinux “allowx”, “auditallowx”, and “dontauditx” policy statements such that “auditx” and “dontauditx” are effective even without the “allowx” statement.

A number of smaller changes to mark some LSM hook parameters as constant and fix a “switch” statement fall-through warning in Clang.

A number of changes to how the SELinux policy is loaded and managed inside the kernel with the goal of improving the atomicity of the SELinux policy load operation as well as overall policy lookup performance. Work included better encapsulation of the policy state, improvements to the policy locking, and refactoring both the policy boolean updates and selinuxfs. This was a significant effort spread across multiple patches and multiple developers; a special thanks to everyone who was involved in the development and testing of these changes.

It is possible to use perf for monitoring the event:

# perf record -e avc:selinux_audited -g -a
^C
# perf report -g
[...]
	6.40%     6.40%  audited=800000 tclass=4
		|
		__libc_start_main
		|
		|--4.60%--__GI___ioctl
		|          entry_SYSCALL_64
		|          do_syscall_64
		|          __x64_sys_ioctl
		|          ksys_ioctl
		|          binder_ioctl
		|          binder_set_nice
		|          can_nice
		|          capable
		|          security_capable
		|          cred_has_capability.isra.0
		|          slow_avc_audit
		|          common_lsm_audit
		|          avc_audit_post_callback
		|          avc_audit_post_callback
		|

It is also possible to use the ftrace interface:

# echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable
# cat /sys/kernel/debug/tracing/trace
tracer: nop
entries-in-buffer/entries-written: 1/1   #P:8
[...]
dmesg-3624  [001] 13072.325358: selinux_denied: audited=800000 tclass=4

The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class.

This patch adds further attributes to the event. These attributes are helpful to understand the context of the message and can be used to filter the events.

There are three common items. Source context, target context and tclass. There are also items from the outcome of operation performed.

An event is similar to:

	<...>-1309  [002] ....  6346.691689: selinux_audited:
	requested=0x4000000 denied=0x4000000 audited=0x4000000
	result=-13
	scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
	tcontext=system_u:object_r:bin_t:s0 tclass=file

With systems where many denials are occurring, it is useful to apply a filter. The filtering is a set of logic that is inserted with the filter file. Example:

echo "tclass==\"file\" " > events/avc/selinux_audited/filter

This adds that we only get tclass=file.

The trace can also have extra properties. Adding the user stack can be done with

echo 1 > options/userstacktrace

Now the output will be:

	runcon-1365  [003] ....  6960.955530: selinux_audited:
	requested=0x4000000 denied=0x4000000 audited=0x4000000
	result=-13
	scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
	tcontext=system_u:object_r:bin_t:s0 tclass=file
	runcon-1365  [003] ....  6960.955560: <user stack trace>
=>  <00007f325b4ce45b>
=>  <00005607093efa57>

It is now possible to remove the SELinux label from a file when there is no policy loaded by removing the “security.selinux” extended attribute from the file.

The “scripts/selinux/mdp” tool in the kernel source tree now generates SELinux policies with policy capabilities enabled.

Fix the SELinux/InfiniBand PKEY object cache error handling code to properly return an error code on failure.

This patch does for ‘getxattr’ what commit 3e3e24b42043 (“selinux: allow labeling before policy is loaded”) did for ‘setxattr’; it allows querying the current SELinux label on disk before the policy is loaded.

One of the motivations described in that commit message also drives this patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be able to move the root filesystem for example, from xfs to ext4 on RAID, on first boot, at initrd time.

Because such an operation works at the filesystem level, we need to be able to read the SELinux labels first from the original root, and apply them to the files of the new root. The previous commit enabled the second part of this process; this commit enables the first part.

With this patch, I measured a speed up in the following areas (measured on x86_64 F32 VM with 4 CPUs):

1. Policy load (‘load_policy’) - takes ~150 ms instead of ~230 ms.
2. ‘chcon -R unconfined_u:object_r:user_tmp_t:s0:c381,c519 /tmp/linux-src’ where /tmp/linux-src is an extracted linux-5.7 source tarball - takes ~522 ms instead of ~576 ms. This is because of many symtab_search() calls in string_to_context_struct() when there are many categories specified in the context.
3. ‘stress-ng –msg 1 –msg-ops 10000000’ - takes 12.41 s instead of 13.95 s (consumes 18.6 s of kernel CPU time instead of 21.6 s). This is thanks to security_transition_sid() being ~43% faster after this patch.

Added support for the CAP_CHECKPOINT_RESTORE capability in the “capability2” object class as “checkpoint_restore”.

Fixed a problem where error messages were not properly logged when the required “process” object class, “transition” permission, or “dyntransition” permission were missing from the policy being loaded into the kernel.

In environments where the preservation of audit events and predictable usage of system memory are prioritized, admins may use a combination of –backlog_wait_time and -b options at the risk of degraded performance resulting from backlog waiting. In some cases, this risk may be preferred to lost events or unbounded memory usage. Ideally, this risk can be mitigated by making adjustments when backlog waiting is detected.

However, detection can be difficult using the currently available metrics. For example, an admin attempting to debug degraded performance may falsely believe a full backlog indicates backlog waiting. It may turn out the backlog frequently fills up but drains quickly.

To make it easier to reliably track degraded performance to backlog waiting, this patch makes the following changes:

Add a new field backlog_wait_time_total to the audit status reply. Initialize this field to zero. Add to this field the total time spent by the current task on scheduled timeouts while the backlog limit is exceeded. Reset field to zero upon request via AUDIT_SET.

Fixed a problem where the LSM_AUDIT_DATA_* records were not causing the CWD record to be generated. Prior to this fix, administrators could find it difficult to piece together a complete audit event in some situations.