Linux 6.1 Released

Linux v6.1 was released on Sunday, December 11th; the SELinux and audit highlights are below. Beyond these highlights, LWN.net has summarized the major changes in this release made during the first and second weeks of the merge window.

SELinux

  • A new LSM hook, and associated SELinux implementation, was added to control the creation of user namespaces. Frederick Lawler, the patch author, summarized the new access control, which adds the new “user_namespace” object class, in the patch description:

    This patch implements a new user_namespace { create } access control permission to restrict which domains allow or deny user namespace creation. This is necessary for system administrators to quickly protect their systems while waiting for vulnerability patches to be applied.

    This permission can be used in the following way:

    allow domA_t domA_t : user_namespace { create };
    
  • While not strictly a SELinux change, the userfaultfd subsystem was changed to always create userfaultfds with O_RDONLY permissions instead of O_RDWR. This should have no functional change, as userfaultfds have always been read-only, however opening the file descriptor with a read-write permission request caused SELinux to check for both read and write permissions. With this change SELinux should now only request the read permission when a userfaultfd is opened.

  • Fix a bug caused by how the kernel was allocating memory during a policy reload. The kernel was allocating memory for a label conversion using a blocking mechanism while a lock was held, raising the risk of a deadlock/panic. This fix changes the kernel code to use a non-blocking allocation in this case, eliminating the risk of deadlock/panic.

  • Convert all of the SELinux policy boolean values in the kernel to use a single type: signed integers. Prior to this change the booleans were represented by a mix of signed and unsigned integer types; we do not believe this was the source of any problems, but type consistency is important to ensuring problem-free code.

  • Convert the SELinux policy install script tool to use grep -E instead of the egrep tool, which has been marked obsolete.

  • Remove more references to the SELinux runtime disable functionality as we are in the process of deprecating this functionality.

  • Minor improvements and cleanups to constify function parameters and remove unneeded variables.

Audit

  • Change the kernel to only free the “proctitle” information on task exit, allowing the kernel to cache the string across multiple syscalls. While the patch description did not provide any before-and-after performance measurements, this should improve audit performance slightly.

  • Make use of the kernel’s existing time comparison functions instead of open coding the time comparisons directly in the audit kernel code.

  • Minor improvements to the way values are compared in the kernel code. It isn’t believed that any of these comparisons were the source of any audit problems, but these changes should help ensure proper behavior in future releases.

  • Minor cleanups to improve the comments in the code and remove unused or redundant code.

Linux 6.0 Released

Linux v6.0 was released on Sunday, October 2nd; the SELinux and audit highlights are below:

SELinux

  • Added access controls for the io_uring command passthrough functionality. This allows SELinux to control access to the io_uring command passthroughs at a per-domain level, but unfortunately due to limitations with the passthrough API, the permission is an all or nothing control with respect to the commands sent via io_uring. The patch author, Paul Moore, provides an example of the SELinux policy allow rule one would need to allow the new io_uring functionality:

    Add a SELinux access control for the iouring IORING_OP_URING_CMD command. This includes the addition of a new permission in the existing “io_uring” object class: “cmd”. The subject of the new permission check is the domain of the process requesting access, the object is the open file which points to the device/file that is the target of the IORING_OP_URING_CMD operation. A sample policy rule is shown below:

    allow <domain> <file>:io_uring { cmd };
    
  • Added support for proper labeling of memfd_secret anonymous inodes. This allows LSMs, such as SELinux, that implement the anonymous inode hooks to apply security policy to memfd_secret file descriptors.

  • Various small improvements to the SELinux kernel memory management code including fixing memory leaks, freeing memory when it is no longer needed, randomizing internal data structures, and adding boundary checks to memory accesses.

  • Minor documentation fixes to fix style and formatting issues.

Audit

  • Fixed a bug where the syscall return codes were not properly set before the filtering rules were executed. This resolved a problem where audit filter rules involving syscall return codes were not properly triggering on matching syscall events.

  • Fixed a potential double free on a fsnotify error path.

  • Fixed a memory leak in the io_uring audit code.

  • Minor internal improvements to remove redundant code and mark private functions as static.

Linux 5.19 Released

Linux v5.19 was released on Sunday, July 31st; the SELinux and audit highlights are below:

SELinux

  • The “/sys/fs/selinux/checkreqprot” and “/sys/fs/selinux/disable” runtime configuration files have been deprecated for some time with no active users that we could find. In an effort to move the deprecation process further along we added a five second pause when either checkreqprot is enabled or SELinux is disabled at runtime. In both cases a warning message is printed to the system console that provides a link to a GitHub wiki page describing why the legacy functionality is being disabled and how users can transition to using the new approach.

  • Added the anonymous inode class name to the SELinux AVC audit records whenever anonymous inodes are involved, which should make writing and debugging SELinux policy easier. An example was provided by Christian Göttsche, the patch author:
    type=AVC msg=audit(02/16/22 22:02:50.585:216) : avc:  granted
    { create } for  pid=2136 comm=mariadbd anonclass=[io_uring]
    scontext=system_u:system_r:mysqld_t:s0
    tcontext=system_u:system_r:mysqld_iouring_t:s0 tclass=anon_inode
    
  • Fixed a memory leak which could occur when mounting filesystems with SELinux mount options.

  • More internal SELinux data types were marked as constant values to help prevent unexpected changes.

  • A number of minor changes including documentation fixes, coding style corrections, removal of unnecessary code, and pre-processor tweaks.

Audit

  • Fixed a memory leak caused when logging information related to loading a kernel module.

  • A small number of changes related to audit’s use of fsnotify made necessary by changes in the fsnotify subsystem.