15 Dec 2020 tags: audit selinux
Linux v5.10 was released on Sunday, December 13th, 2020; the SELinux and audit highlights are below:
A number of changes to how the SELinux policy is loaded and managed inside the kernel with the goal of improving the atomicity of the SELinux policy load operation as well as overall policy lookup performance. Work included better encapsulation of the policy state, improvements to the policy locking, and refactoring both the policy boolean updates and selinuxfs. This was a significant effort spread across multiple patches and multiple developers; a special thanks to everyone who was involved in the development and testing of these changes.
- A tracepoint was added for audited SELinux access control events. These changes should help provide a more unified backtrace across the kernel and userspace when examining SELinux access control denials. The author of the changes, Thiébaud Weksteen, explains the basic functionality:
It is possible to use perf for monitoring the event:
# perf record -e avc:selinux_audited -g -a
# perf report -g
6.40% 6.40% audited=800000 tclass=4
It is also possible to use the ftrace interface:
# echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable
# cat /sys/kernel/debug/tracing/trace
entries-in-buffer/entries-written: 1/1 #P:8
dmesg-3624  13072.325358: selinux_denied: audited=800000 tclass=4
The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class.
- Thiébaud also later added additional attributes and basic filtering support to the new SELinux tracepoints:
This patch adds further attributes to the event. These attributes are helpful to understand the context of the message and can be used to filter the events.
There are three common items. Source context, target context and tclass. There are also items from the outcome of operation performed.
An event is similar to:
<...>-1309  .... 6346.691689: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
With systems where many denials are occurring, it is useful to apply a filter. The filtering is a set of logic that is inserted with the filter file. Example:
echo "tclass==\"file\" " > events/avc/selinux_audited/filter
This adds that we only get tclass=file.
The trace can also have extra properties. Adding the user stack can be done with
echo 1 > options/userstacktrace
Now the output will be:
runcon-1365  .... 6960.955530: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
runcon-1365  .... 6960.955560: <user stack trace>
It is now possible to remove the SELinux label from a file when there is no policy loaded by removing the “security.selinux” extended attribute from the file.
The “scripts/selinux/mdp” tool in the kernel source tree now generates SELinux policies with policy capabilities enabled.
Fix the SELinux/InfiniBand PKEY object cache error handling code to properly return an error code on failure.
- Provide a “no sooner” date of June 2021 for the SELinux checkreqprot sysfs deprecation the was first declared in the Linux v5.7 release.
- A small number of trivial fixes, e.g. changing global variables to static declarations, that don’t have any noticeable impact on audit functionality or behavior.
14 Oct 2020 tags: audit selinux
Linux v5.9 was released on Sunday, October 11th, 2020; the SELinux and audit highlights are below:
- Allow reading of SELinux labels before the policy is loaded, allowing for some more “exotic” initramfs approaches as described by the author Jonathan Lebon:
This patch does for ‘getxattr’ what commit 3e3e24b42043 (“selinux: allow labeling before policy is loaded”) did for ‘setxattr’; it allows querying the current SELinux label on disk before the policy is loaded.
One of the motivations described in that commit message also drives this patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be able to move the root filesystem for example, from xfs to ext4 on RAID, on first boot, at initrd time.
Because such an operation works at the filesystem level, we need to be able to read the SELinux labels first from the original root, and apply them to the files of the new root. The previous commit enabled the second part of this process; this commit enables the first part.
- Improved the SELinux policy symbol table performance due to a rework of the insert and search functions. The patch author, Ondrej Mosnacek, described the impact of the changes in the commit description:
With this patch, I measured a speed up in the following areas (measured on x86_64 F32 VM with 4 CPUs):
- Policy load (‘load_policy’) - takes ~150 ms instead of ~230 ms.
- ‘chcon -R unconfined_u:object_r:user_tmp_t:s0:c381,c519 /tmp/linux-src’ where /tmp/linux-src is an extracted linux-5.7 source tarball - takes ~522 ms instead of ~576 ms. This is because of many symtab_search() calls in string_to_context_struct() when there are many categories specified in the context.
- ‘stress-ng –msg 1 –msg-ops 10000000’ - takes 12.41 s instead of 13.95 s (consumes 18.6 s of kernel CPU time instead of 21.6 s). This is thanks to security_transition_sid() being ~43% faster after this patch.
Added support for the CAP_CHECKPOINT_RESTORE capability in the “capability2” object class as “checkpoint_restore”.
Fixed a problem where error messages were not properly logged when the required “process” object class, “transition” permission, or “dyntransition” permission were missing from the policy being loaded into the kernel.
- Fix some problems with initial SIDs and the script generated SELinux MDP policy.
04 Aug 2020 tags: audit selinux
Linux v5.8 was released on Sunday, August 2, 2020; the SELinux and audit highlights are below:
Added support for a new SELinux policy version, version 33, which allows for a more space efficient way of storing the filename transitions in the binary policy. Given the default Fedora SELinux policy with the unconfined module enabled, this change drops the policy size from ~7.6MB to ~3.3MB, with policy load times dropping as well.
A number of improvements to various SELinux internal kernel data structures to help improve performance and simplify the code. The role transitions moved into a hash table, and we shifted from hashing the rendered SELinux label string to the content structure itself, when it is valid.
Support was added for the new CAP_PERFMON and CAP_BPF capabilities in the “capability2” object class.
Several bug fixes found by the Clang Static analyzer which resolve potential double-free conditions and undefined return values.
Some fixes to the error handling code in the policy parser to properly return error codes when things go wrong.
Internal changes to the the LSM hook responsible for ensuring that the LSM credentials are set correctly for processes when they are executed.
Changes to the LSM/SELinux hooks for the kernel keyring.
Binding and unbinding to the audit multicast socket now generates audit records. This is intended to help administrators identify which processes have, or had, access to the information in the audit record stream.
Some of the audit error handling was improved to remove the potential for leaking network namespace references in the kernel.
The netfilter configuration records were cleaned and additional information was added to the records.
Sadly the commit which helped enable better support for accompanying records which was merged for the Linux v5.7 release needed to be reverted due to problems with the implementation. I expect this to come back at a later date once the code is improved.