04 Oct 2022 tags: audit selinux Linux v6.0 was released on Sunday, October 2nd; the SELinux and audit highlights are below:
SELinux
- Added access controls for the io_uring command passthrough functionality. This allows SELinux to control access to the io_uring command passthroughs at a per-domain level, but unfortunately due to limitations with the passthrough API, the permission is an all or nothing control with respect to the commands sent via io_uring. The patch author, Paul Moore, provides an example of the SELinux policy allow rule one would need to allow the new io_uring functionality:
Add a SELinux access control for the iouring IORING_OP_URING_CMD command. This includes the addition of a new permission in the existing “io_uring” object class: “cmd”. The subject of the new permission check is the domain of the process requesting access, the object is the open file which points to the device/file that is the target of the IORING_OP_URING_CMD operation. A sample policy rule is shown below:
allow <domain> <file>:io_uring { cmd };
-
Added support for proper labeling of memfd_secret anonymous inodes. This allows LSMs, such as SELinux, that implement the anonymous inode hooks to apply security policy to memfd_secret file descriptors.
-
Various small improvements to the SELinux kernel memory management code including fixing memory leaks, freeing memory when it is no longer needed, randomizing internal data structures, and adding boundary checks to memory accesses.
- Minor documentation fixes to fix style and formatting issues.
Audit
-
Fixed a bug where the syscall return codes were not properly set before the filtering rules were executed. This resolved a problem where audit filter rules involving syscall return codes were not properly triggering on matching syscall events.
-
Fixed a potential double free on a fsnotify error path.
-
Fixed a memory leak in the io_uring audit code.
-
Minor internal improvements to remove redundant code and mark private functions as static.
01 Aug 2022 tags: audit selinux Linux v5.19 was released on Sunday, July 31st; the SELinux and audit highlights are below:
SELinux
-
The “/sys/fs/selinux/checkreqprot” and “/sys/fs/selinux/disable” runtime configuration files have been deprecated for some time with no active users that we could find. In an effort to move the deprecation process further along we added a five second pause when either checkreqprot is enabled or SELinux is disabled at runtime. In both cases a warning message is printed to the system console that provides a link to a GitHub wiki page describing why the legacy functionality is being disabled and how users can transition to using the new approach.
- Added the anonymous inode class name to the SELinux AVC audit records whenever anonymous inodes are involved, which should make writing and debugging SELinux policy easier. An example was provided by Christian Göttsche, the patch author:
type=AVC msg=audit(02/16/22 22:02:50.585:216) : avc: granted
{ create } for pid=2136 comm=mariadbd anonclass=[io_uring]
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:system_r:mysqld_iouring_t:s0 tclass=anon_inode
-
Fixed a memory leak which could occur when mounting filesystems with SELinux mount options.
-
More internal SELinux data types were marked as constant values to help prevent unexpected changes.
- A number of minor changes including documentation fixes, coding style corrections, removal of unnecessary code, and pre-processor tweaks.
Audit
-
Fixed a memory leak caused when logging information related to loading a kernel module.
-
A small number of changes related to audit’s use of fsnotify made necessary by changes in the fsnotify subsystem.
08 Jun 2022 tags: seccomp 
Today marks the 10th anniversary of the first libseccomp release, v0.1.0, on June 8, 2012. Over these past 10 years we’ve made 23 different releases based on the work of 65 contributors, achieved 90% code coverage with our tests, met the CII/OpenSSF “Best Practices” requirements, and earned an “A+” for our code quality on LGTM.
Thank you to all of those who have contributed!
Alex Murray
Andreas Schwab
Andrew Jones
Andy Lutomirski
Ashley Lai
Bogdan Purcareata
Brian Cain
Christopher Waldon
Chris Waldon
Colin Walters
Corey Bryant
David Drysdale
Eduardo Otubo
Eric Paris
Fabrice Fontaine
Felix Abecassis
Felix Geyer
Giuseppe Scrivano
Heiko Carstens
Helge Deller
Jake Edge
James Cowgill
Jan Engelhardt
Jan Willeke
Jay Guo
Jiannan Guo
Joe MacDonald
John Paul Adrian Glaubitz
Jonah Petri
Justin Cormack
Kees Cook
Kyle R. Conway
Kenta Tada
Kir Kolyshkin
Lin, Yong Xiang
Luca Bruno
Manabu Sugimoto
Marcin Juszkiewicz
Marcus Meissner
Markos Chandras
Mathias Krause
Max Rees
Michael Forney
Michael Karcher
Mike Frysinger
Mike Strosaker
Miroslav Lichvar
Paul Moore
Rodrigo Campos
Rolf Eike Beer
Samanta Navarro
Sascha Grunert
Serge Hallyn
Stéphane Graber
Stephen Coleman
Thiago Marcos P. Santos
Tobias Klauser
Tom Hromatka
Tudor Brindus
Tycho Andersen
Tyler Hicks
Valoq
Vicente Olivert Riera
Vitaly Vi Shukela
Vladimir Rutsky
