15 Jul 2024 tags: audit lsm selinux Linux v6.10 was released on Sunday, July 14th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.
LSM
-
Resolve a potential kernel panic caused by blocking allocations in the IMA code while in a RCU critical section. The blocking allocation causes a premature end to the critical section which can result in a use-after-free fault in some situations.
-
Improvements to the extended attribute (xattr) copy-up code to allow LSMs to decide if an xattr should be copied up based on a combination of the xattr name and context. Previously LSMs were limited to making copy-up decisions based solely on the xattr name. This should allow for better LSM support on composite filesytems such as overlayfs.
In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.
20 May 2024 tags: audit lsm selinux Linux v6.9 was released last week, with the Linux v6.10 merge window opening immediately afterwards. Below are the highlights of the LSM and SELinux pull requests which have been merged into Linus’ tree. Due to the lack of audit patches queued for Linux v6.10, there is no audit pull request planned for this merge window.
LSM
-
Minor cross-LSM update to remove empty sentinel values from the ctl_table
arrays.
-
Minor updates to the LSM, or “LINUX SECURITY SUBSYSTEM”, entry into the kernel’s MAINTAINERS file to more accurately reflect the LSM files.
SELinux
-
Attempt to pre-allocate the SELinux status page so it doesn’t appear to userspace, via the SELinux netlink socket or the getpolicyload
tool, that we are skipping SELinux policy sequence numbers.
-
Additional error checking for SELinux policy bitmaps at policy load time; invalid bitmaps will result in a failed policy load and an error returned to the user.
-
Improve the consistency of variable types used to represent SELinux policy bitmap offsets; the u32
type is now used everywhere. We also corrected a number of printk()
format specifiers used when displaying bitmap information.
-
Improve the SELinux symbol table hashing function performance and distribution by moving to the djb2a hash function.
-
Added additional debug statistics for the conditional rules access vectors, role transitions, object class, and common permission hash tables.
-
Minor cleanups and improvements as well as improved error handling in multiple SELinux internal kernel functions.
17 May 2024 tags: audit lsm selinux Linux v6.9 was released on Sunday, May 12th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.
LSM
-
Change the size_t
parameter types in the new LSM syscalls to u32
to avoid differences between 32-bit and 64-bit systems. This change was backported to the Linux v6.8 stable kernel.
-
Fix a problem where passing a NULL buffer into the lsm_get_self_attr(2)
syscall via the ctx
parameter resulted in an error. Passing a NULL buffer should result in success with the minimum necessary buffer size returned to the caller via the size
parameter.
-
Fix a problem caused during the IMA and EVM LSM promotion that could result in a kernel panic during certain mknod(2)
operations.
SELinux
- Fix a problem where a failed selinuxfs mount could result in an invalid memory access.
In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.