The 2019 Linux Security Summit for North America was held a few weeks ago in late August in San Diego and it once again proved to be a great technical conference for those interested in Linux security. Thanks to the speakers, program committee, the Linux Foundation, and the sponsors for making this happen!
This post is a bit later than usual due to vacation, but Linux v5.2 was released on Sunday, July 7, 2019. The SELinux and audit highlights are below:
Add proper per-file SELinux support for kernfs based filesystems such as cgroupfs. This is particularly interesting for container orchestrators that want to make use of cgroups with greater levels of SELinux access control granularity.
Change how we record raw SELinux labels in the audit log. Starting with Linux v5.1 when we encounter an invalid SELinux label we record the label using the “trawcon” field in the audit log, beginning in Linux v5.2 we treat these raw labels as untrusted and hex encode them.
A change was made to disallow changing the LSM credentials via /proc/self/attr when the task’s credentials are overridden. This should help ensure the integrity of the task’s credentials and shouldn’t be noticeable to normal users or applications.
A number of improvements were made to the MDP (Make Dummy Policy) tool which is included in the kernel source tree. While the MDP generated SELinux policy remains more of a demonstration policy rather than a useful, minimal policy; this work brings the MDP policy up to date such that it should be able to work on a modern SELinux system. Those wishing to play with the MDP policy should be sure to boot their system in permissive mode first to verify that everything works as expected. Unfortunately I mistakenly attributed these changes to Linux v5.1, including them in the v5.1 highlights, but they didn’t ship until Linux v5.2.
Fix a problem where connect(AF_UNSPEC) on TCP sockets was broken and returning EAFNOSUPPORT instead of disconnecting the socket. This was broken back in Linux v4.17 by commit 68741a8adab9 (“selinux: Fix ltp test connect-syscall failure”) but unfortunately the breakage wasn’t noticed until recently.
Fix a number of smaller bugs and compiler warnings found by clang, KASAN, and KMSAN.
type=TIME_INJOFFSET msg=audit(1530616049.652:13): sec=-16 nsec=124887145
Changes to the NTP parameters will generate a new TIME_ADJNTPVAL record that contains an “op” field indicating the parameter being adjusted, as well as “old” and “new” fields indicating the values of the changed parameter. An example of a TIME_ADJNTPVAL record can be seen below:
type=TIME_ADJNTPVAL msg=audit(1530616044.507:7): op=status old=64 new=8256
We continue to associate standalone audit records with other related records. In this release we associate the LOGIN record with other related records into a single audit event.
A number of internal kernel changes to enable the PTRACE_GET_SYSCALL_INFO work. While not strictly audit related, these changes do get us closer to enabling syscall auditing for all of the supported Linux hardware platforms.
Fix potential memory leaks related to logging kernel module loads and the filesystem watches.
Linux v5.1 was released on Sunday, May 5th, 2019. Below are the SELinux and audit highlights for the release:
type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149
comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608
scontext=system_u:system_r:sshd_t:s0
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
permissive=1 trawcon=system_u:object_r:banana_t:s0
Support was added for proper labeling of kernfs based filesystems. This is of particular interest to those running containers as the cgroup2 filesystem is based on kernfs.
A number of changes throughout the SELinux code to support the newly added LSM stacking code. While this is a rather significant change to the LSM layer, it should have little effect on existing systems as long as the administrator does not enable the LSM stacking functionality.
The constant sized flex_array structures were converted to use vmalloc allocated memory. Since these were constant sized arrays the flex_array mechanism only added unnecessary complexity.
The SELinux VFS code was updated to use the new internal kernel mounting API. This should have no visible impact to users, administrators, or policy developers.
Fix a problem with labeled NFS where mounting a NFS filesystem twice would result in disabling support for the SELinux labels.
Fix a problem where SELinux file access control denials might not have been logged when in permissive mode.
The CONFIG_CHANGE records are now associated with other relevant records into a single audit event. Prior to this change the CONFIG_CHANGE records were always standalone records in their own audit event.
An “op” field was added to the “lock” and “set” CONFIG_CHANGE records. This should help provide some needed context for the audit event.
The filesystem type filter was expanded and now applies to all of the inode auditing code.
File capabilities are no longer recorded when unmounting a filesystem. This prevents a potential hang when unmounting a filesystem and due to the nature of the unmount operation, this should have little practical impact on the data recorded in the audit log.
Added support for file capabilities version 3.
UPDATE: Moved the MDP improvements to Linux v5.2, they were mistakenly included in the Linux v5.1 notes.