Picture of Paul Moore

Paul Moore

© 2024 Licensed under CC BY-NC-SA 4.0

Linux Security Summit North America 2018

06 Sep 2018 tags: android apparmor audit ima selinux smack

The 2018 Linux Security Summit for North America wrapped up a couple of weeks ago and it was once again a big success. This year’s event was our largest to date, with 220 people registered for the conference. Thanks to James Morris and the rest of the program committee, the speakers, the Linux Foundation, and our sponsors - thank you!

Special thanks to Cisco who stepped up at the last minute to sponsor recordings of all the talks this year, available at the link below.

Linux 4.18 Released

15 Aug 2018 tags: audit selinux

Linux v4.18 was released on Sunday, August 12th; this is a quick summary of the SELinux and audit changes.

SELinux

  • Defined a new object class, “xdp_socket”, to support the new express data path functionality and AF_XDP sockets.

  • Enabled SO_PEERSEC, and by extension getpeercon(3), for sockets created by socketpair(2).

  • Fixed a problem where selinuxfs file accesses could be stalled indefinitely due to the SELinux kernel code attempting to access a userspace memory buffer where page faults are handled by the userfaultfd(2) mechanism. The solution is to change the locking approach in the selinuxfs kernel code so that no selinuxfs locks are held when accessing the userspace buffers. For reference, the selinuxfs filesystem is mounted under “/sys/fs/selinux” on most, if not all, Linux distributions.

  • A number of small internal changes related to changes in other Linux Kernel subsystems.

Audit

  • Changed the audit subsystem’s logging policy on SECCOMP events so that it honors the “kernel.seccomp.actions_logged” sysctl and supports the “SECCOMP_FILTER_FLAG_LOG” filter modification and the “SECCOMP_RET_LOG” filter action.

  • Enabled the “not equal” comparison operator on executable name filter rules.

  • The FEATURE_CHANGE record is now connected with other associated records, e.g. the SYSCALL record, so that they appear as a single audit record.

  • The MAC_STATUS and MAC_POLICY_LOAD records were normalized to provide a more consistent record format across different SELinux events.

  • Fixed a potential NULL pointer dereference when logging a kernel module name and the system is under extreme memory pressure.

  • A larger than normal number of internal cleanups and interface abstractions all intended to make upcoming changes easier.

Linux 4.17 Released

06 Jun 2018 tags: audit selinux

Linux v4.17 was released on Sunday, June 3rd; this is a quick summary of the SELinux and audit changes. After a small set of changes in Linux v4.16 we are back to a more normal, perhaps even a bit larger than normal, set of changes in Linux v4.17.

SELinux

  • While we added basic support for SCTP sockets in Linux v4.11, via the “sctp_socket” object class, proper SELinux support for SCTP was not available until this release. Richard Haines was responsible for the development of the SCTP support, and documented the new controls in the Linux Kernel’s “Documentation/security” directory; I encourage you to check out the LSM-sctp.rst and SELinux-sctp.rst files in that directory for more details.
    As a reminder, ensure that your currently loaded SELinux policy has the “extended_socket_class” policy capability enabled before attempting to use the new SELinux SCTP controls.

  • Stephen Smalley submitted a number of patches to encapsulate much of the kernel’s global SELinux state into a number of new data structures. While this was a very large change to the code, none of it should be user visible. It is simply an important piece of housekeeping that paves the way for a number of improvements and new features that are currently under development.

  • Fixed a small bug with setxattr(2) where we were not adequately protecting against malformed file security labels that were written by privileged applications. In addition to Linux v4.17, this fix should also start appearing in the different stable kernel releases; check the changelogs.

  • Various small code cleanups and simplifications.

Audit

  • After being marked as deprecated for several years, the audit “entry” filter was removed from the kernel. The “entry” filter was removed from the audit userspace tools in v2.6.7.

  • Fixed a small bug where creating a session ID audit filter could cause the “arch” field to be misrepresented in the various different audit records.

  • The code which interpreted the “audit=” configuration parameter on the kernel command line was improved to make it more robust and accept a wider range of user input, e.g. both “on” and “off” are now valid options.

  • Fix a number of issues relating to the auditing of symlinks. Fixes include honoring the current audit enabled status, as well proper auditing of the related PATH records.

  • Various other small bug fixes, code cleanups, and simplifications.