Kernel Repository Process

28 Jul 2017 tags: audit selinux

It has been over a year since I formally updated the SELinux and audit kernel repository processes, and based on how things have evolved it seems we are due for another update. This time the changes are rather small, and shouldn’t surprise anyone who has been following upstream development.

The process below applies to both SELinux and audit.

1. After the merge window closes upstream, a decision will be made regarding the need to rebase the next branch on top of the current Linux -rc1 release. If there have been a number of subsystem related changes outside of the subsystem’s next branch, or if the branch’s base is too far behind linux/master, it may be necessary to rebase the next branch. If a rebase is needed, it should be done before any patches are merged, and rebasing the next branch during the remaining -rcX releases should only be done in extreme cases.

2. Patches will be merged into the subsystem’s next branch during the development cycle which extends from merge window close up until the merge window reopens. However, it is important to note that large, complicated, or invasive patches sent late in the development cycle may be deferred until the next cycle. As a general rule, only small patches or critical fixes will be merged after -rc5/-rc6.

3. Any patches deemed necessary for the current Linux -rcX releases will be merged into the current stable-X.Y branch, marked with a signed tag, and a pull request sent against linux/master as soon as it is reasonable to do so.

4. During the development cycle Fedora Rawhide test kernels will be generated using the next and most recent stable-X.Y branches on a weekly basis, if not more often. These kernels will be tested against the SELinux test suite and audit test suite as well as being made available to everyone for additional testing.

5. Once the merge window opens, the next branch will be copied to a new branch, stable-X.Y, and the branch will be marked with a signed tag in the format subsystem-pr-YYYYMMDD. A pull request will be sent against the linux/master branch using the signed tag.

For reference, the previous process was defined here.

UPDATE: The SELinux kernel process has been updated now that we are basing the tree against Linus’ tree and sending pull requests directly to Linus.

UPDATE #2: The SELinux and audit processes have been merged (ha!) and the process has been changed to reflect potential rebasing to -rc1 at the start of the development cycle.

UPDATE #3: While the process documented here is not changing at this time, all future process updates will be documented in the README.md file in the base directory of each kernel subsystem tree. This post, and the process it describes, should be considered deprecated moving forward.

Kernel Repository Move

28 Jul 2017 tags: audit selinux

In a move that is long overdue, I’m moving the SELinux and audit repositories from infradead.org to kernel.org. The URLs for both repositories are shown below:

SELinux

• https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
• git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git

Audit

• https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
• git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Linux 4.12 Released

05 Jul 2017 tags: audit selinux

Linux v4.12 was released this past weekend on Sunday, July 2nd; this is a quick summary of the SELinux and audit changes.

SELinux

• A new SELinux access control check was added for prlimit(2). This new access control is intended to allow SELinux policy developers the ability to control when one process attempts to read or modify another process’ resource limits using the “process:{ setrlimit getrlimit }” permissions. SELinux does not restrict a process from manipulating its own resource limits via prlimit(2).

• Reorder the CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH capability checks in the internal “generic_permission()” function so that CAP_DAC_OVERRIDE is checked after CAP_DAC_READ_SEARCH. This ensures that CAP_DAC_OVERRIDE is only checked for operations where it is required.

• Constify the kernel’s internal netlink message permission mapping tables to help prevent unwanted tampering.

• Cleanup the kernel’s internal network address handling in the SELinux bind(2) hook by ensuring that the address length is correct for the address family.

• Multiple kernel internal cleanups and simplifications.

Audit

• Log the name of the kernel module, via the KERN_MODULE record, when the module is removed from the kernel. See the GitHub feature page for more information.

• Simplify and normalize the NETFILTER_PKT record to make it easier to parse in userspace and to enable future enhancement if needed. The new record includes the netfilter mark, via “mark”, the source address, via “saddr”, the destination address, via “daddr”, and the upper layer protocol, via “proto”.

• Replace the audit subsystem’s audit_buffer management mechanism with the standard kmem_cache mechanism. This simplifies the kernel’s audit code and should provide for better runtime memory management.

• Convert a number of atomic_t reference counters to refcount_t. This change should help guard against reference count overflows in the audit subsystem.

• Convert the audit subsystem in the kernel to use 64-bit timestamps. This should make the audit subsystem year 2038 safe.

• Convert the kernel’s auditd PID tracking to use the pid struct and not the pid_t scalar type.

• All audit netlink messages sent by the kernel now use a netlink port ID value of zero. This brings audit inline with the netlink specification.

• Fix some problems with the RCU locking relating to auditd connection tracking. With any luck this should be the last of the auditd connection tracking fixes for a while.