Libseccomp 2.3.2 Released

We've just released a new version of libseccomp, libseccomp version 2.3.2. The libseccomp library provides an easy to use, platform independent interface to the Linux enhanced syscall filtering mechanism.

This new version of libseccomp builds upon the previous release and should be a drop-in replacement for the 2.x releases. All users are encouraged to upgrade to the new version at their earliest convenience.

Changes in the 2.3.2 release include:

  • Achieved full compliance with the CII Best Practices program
  • Added Travis CI builds to the GitHub repository
  • Added code coverage reporting with the "--enable-code-coverage" configure flag and added Coveralls to the GitHub repository
  • Updated the syscall tables to match Linux v4.10-rc6+
  • Support for building with Python v3.x
  • Allow rules with the -1 syscall if the SCMP_FLTATR_API_TSKIP attribute is set to true
  • Several small documentation fixes

Finally, thank you to everyone who has submitted suggestions, provided testing help, and contributed patches to the project.

Linux 4.10 Released

Linux v4.10 was released this past weekend on Sunday, February 19th; this is a quick summary of the SELinux and audit changes.

SELinux

  • Fix a GFS2/SELinux deadlock where one task is initializing an inode while another task is invalidating the SELinux label on the same inode. The fix involved changing the SELinux inode_security_struct lock from a mutex to a spinlock and introducing a new SELinux label state, "PENDING". These two changes allow SELinux to mark a pending inode initialization and detect if the inode's label was invalidated during the initialization process.

  • Add a build time check to catch the addition of new capabilities and force an update to the associated SELinux code. The simple fix was to compare the CAP_LAST_CAP sentinel value with the last known defined capability and cause a compilation failure, via the "#error" compiler directive, when there is a mismatch.

  • Normalize input to /sys/fs/selinux/enforce so that the stored value is only ever 1 (true) or 0 (false). This change should have no impact to the kernel, it only checks for non-zero (true) or 0 (false), but some userspace tools check for a value of 1 instead of a non-zero true value.

  • Fix a problem where clearing /proc/self/attr/fscreate could result in an unwanted kernel memory access (CVE-2017-2618).

  • A number of minor improvements and cleanups to the SELinux inode handling.

Audit

  • Major rework of the audit backlog queue which moves the audit multicast writes from the thread of the task which generates the event to a separate kernel thread, much like we do for the audit unicast/auditd messages. Moving the multicast writes had a ripple effect on the entire audit queuing mechanism which brought about a number of improvements which should reduce the per-task audit overhead when audit is enabled, and help make audit more robust under heavy load.

  • Add kernel support for audit filtering based on the session ID. See the GitHub feature page for more information.

  • Fix audit's use of fsnotify to prevent sleeping on a spinlock. The fix involved making sure that the proper lock ordering was followed, meaning that we took the fsnotify_group's mutex before taking the fsnotify_mark's spinlock.

  • Fix a problem where audit was needlessly duplicating fsnotify_mark structures and leaking a reference to the associated fsnotify group.

  • Fix a problem where the kernel wasn't properly holding a reference for the auditd communication socket which could result in a race condition when resetting the connection with auditd.

  • Ensure consistent logging of the CONFIG_CHANGE audit record. The record's "op" field is not encoded so the value should not be surrounded with double quotes.

DevConf.cz 2017

I attended DevConf.cz again this year and once again really enjoyed myself. I didn't present at last year's conference but I made up for it this year by giving two presentations: one presentation on the Core Infrastructure Initiative's Best Practices Badge Program and the other a reprise of Richard Guy Briggs' audit and namespace talk from the 2016 Linux Security Summit. Richard had planned on giving the talk himself at DevConf.cz this year, but unfortunately wasn't able to make the trip so I agreed to give the talk in his place. Slides and videos of the presentations can be found below.