Picture of Paul Moore

Paul Moore

© 2024 Licensed under CC BY-NC-SA 4.0

Linux 4.12 Released

05 Jul 2017 tags: audit selinux

Linux v4.12 was released this past weekend on Sunday, July 2nd; this is a quick summary of the SELinux and audit changes.

SELinux

  • A new SELinux access control check was added for prlimit(2). This new access control is intended to allow SELinux policy developers the ability to control when one process attempts to read or modify another process’ resource limits using the “process:{ setrlimit getrlimit }” permissions. SELinux does not restrict a process from manipulating its own resource limits via prlimit(2).

  • Reorder the CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH capability checks in the internal “generic_permission()” function so that CAP_DAC_OVERRIDE is checked after CAP_DAC_READ_SEARCH. This ensures that CAP_DAC_OVERRIDE is only checked for operations where it is required.

  • Constify the kernel’s internal netlink message permission mapping tables to help prevent unwanted tampering.

  • Cleanup the kernel’s internal network address handling in the SELinux bind(2) hook by ensuring that the address length is correct for the address family.

  • Multiple kernel internal cleanups and simplifications.

Audit

  • Log the name of the kernel module, via the KERN_MODULE record, when the module is removed from the kernel. See the GitHub feature page for more information.

  • Simplify and normalize the NETFILTER_PKT record to make it easier to parse in userspace and to enable future enhancement if needed. The new record includes the netfilter mark, via “mark”, the source address, via “saddr”, the destination address, via “daddr”, and the upper layer protocol, via “proto”.

  • Replace the audit subsystem’s audit_buffer management mechanism with the standard kmem_cache mechanism. This simplifies the kernel’s audit code and should provide for better runtime memory management.

  • Convert a number of atomic_t reference counters to refcount_t. This change should help guard against reference count overflows in the audit subsystem.

  • Convert the audit subsystem in the kernel to use 64-bit timestamps. This should make the audit subsystem year 2038 safe.

  • Convert the kernel’s auditd PID tracking to use the pid struct and not the pid_t scalar type.

  • All audit netlink messages sent by the kernel now use a netlink port ID value of zero. This brings audit inline with the netlink specification.

  • Fix some problems with the RCU locking relating to auditd connection tracking. With any luck this should be the last of the auditd connection tracking fixes for a while.

Libseccomp Logo

19 Jun 2017 tags: seccomp

Thanks to Kyle R. Conway I’m happy to announce that the libseccomp project now has a logo!

libseccomp logo

Linux 4.11 Released

03 May 2017 tags: audit selinux

Linux v4.11 was released this past weekend on Sunday, April 30th; this is a quick summary of the SELinux and audit changes.

SELinux

  • A number of new SELinux object classes were added to support all of the known network socket address families, and code was introduced to make it easier for kernel developers to keep the SELinux subsystem in sync with the address family definitions. These new object classes provide policy developers a greater level of access control granularity by allowing them to write policy which targets specific protocols. In order to make use of these new object classes the SELinux policy must enable the “extended_socket_class” policy capability.

  • Add SELinux labeling support to the cgroup and cgroup2 pseudo filesystems. This should allow better control over applications, such as containers, which need to manage only certain portions of the system’s cgroup configuration. In order to make use of this new functionality the SELinux policy must enable the “cgroup_seclabel” policy capability.

  • Add SELinux labeling support to TraceFS. This is required for Android compatibility on Linux v4.1 and above (TraceFS was introduced in Linux v4.1).

  • Allow SELinux context mounts of tmpfs, ramfs, and devpts in non-init user namespaces. This is required by many container runtimes such as Docker/runc/etc.

  • Change the kernel behavior so that SELinux policy booleans which are not labeled by the loaded policy are assigned the security initial SID label, previously the boolean was left unlabeled and any access was denied.

  • Additional error messages were added to the SELinux policy loading code so that policy load failures could be more easily diagnosed by administrators.

  • Remove the security_task_wait() LSM hook and the SELinux implementation. It turned out that this access control was more trouble than it was worth; risking soft lockups and zombie processes without any real security advantage.

  • Internal cleanups relating to how credentials were used in the SELinux subsystem. While this is a nice cleanup and simplification inside the kernel, there should be no user visible changes.

  • Internal shuffling of the process restrictions affecting /proc/<pid>/attr from the individual LSMs (including SELinux) to the proc subsystem. This helps eliminate code redundancy and ensures proper behavior across LSMs.

  • The SELinux LSM hooks are now marked as read-only after the system boots. This should help prevent malicious code from tampering with the LSM hooks.

Audit

  • Add the ability to reset the lost record counter. See the GitHub feature page for more information.

  • Log the name of the kernel module, via a new KERN_MODULE record, when the module is loaded into the kernel. See the GitHub feature page for more information.

  • Fixed a problem where the SOCKETCALL record was not generated for 32-bit syscalls on a 64-bit system. See the GitHub issue for more information.

  • Fix the kernel’s audit daemon state tracking code. There were a number of issues relating to how the daemon’s connection was tracked including locking problems and some synchronization oddities with network namespaces. The code in Linux v4.11 helps resolve these problems and also adds some additional improvements to the audit backlog queue handling in the kernel. It is worth noting that some users may still experience some lock issues with Linux v4.11 when the audit daemon first starts; this has been fixed in Linus’ tree with commit 48d0e023af97 (“audit: fix the RCU locking for the auditd_connection structure”) and should be part of the next Linux v4.11 stable release.

  • Adjust the KERNEL and ANOM_ABEND audit records so they are more consistent with the other audit records.