08 Jun 2022 tags: seccomp
Today marks the 10th anniversary of the first libseccomp release, v0.1.0, on June 8, 2012. Over these past 10 years we’ve made 23 different releases based on the work of 65 contributors, achieved 90% code coverage with our tests, met the CII/OpenSSF “Best Practices” requirements, and earned an “A+” for our code quality on LGTM.
Thank you to all of those who have contributed!
John Paul Adrian Glaubitz
Kyle R. Conway
Lin, Yong Xiang
Rolf Eike Beer
Thiago Marcos P. Santos
Vicente Olivert Riera
Vitaly Vi Shukela
23 May 2022 tags: audit selinux
Linux v5.18 was released on Sunday, May 22nd; the SELinux and audit highlights are below:
Add a new policy capability, “ioctl_skip_cloexec”, which allows the
FIONCLEX ioctls independently of the loaded SELinux policy when enabled.
- Implement the
security_sctp_assoc_established() hook in SELinux to ensure that the SCTP peer labeling behavior is consistent on both the client and server side. The kernel’s SCTP documentation provides more information on how the SCTP peer labeling behavior:
An SCTP socket will only have one peer label assigned to it. This will be assigned during the establishment of the first association. Any further associations on this socket will have their packet peer label compared to the socket’s peer label, and only if they are different will the association permission be validated. This is validated by checking the socket peer sid against the received packets peer sid to determine whether the association should be allowed or denied.
Reworked how SELinux processes the filesystem mount contexts in an effort to simplify the kernel code and ensure that memory allocations are not attempted when it is inappropriate, e.g. when a spinlock is held. This work did introduce a new restriction in that the new mount API requires that the SELinux policy is loaded before passing filesystem contexts to the mount API.
Add SELinux netlink message mappings for
RTM_SETSTATS. The new tunnel, delete tunnel, and hardware offload stat commands map to the “netlink_route_socket:nlmsg_write” permission while the get tunnel command maps to the “netlink_route_socket:nlmsg_read” permission.
Fixed problems in the error handling of the kernel’s SELinux policy loading code.
Fixed a problem with stacked LSMs when accessing a filesystem’s superblock.
More kernel internal variables and function parameters were marked as constant values to help prevent unintended modification in the SELinux kernel code.
Fixed a number of RCU variable marking mismatches.
- Minor internal style, type casting, and dead code fixes.
Change how the “AUDIT_TIME_*” records are generated such that the time related records are only generated when they are associated with a corresponding syscall. This should help reduce the time related noise in the audit logs.
Fixed a problem where a task’s audit context might not be properly reset when using io_uring.
22 Mar 2022 tags: audit selinux
Linux v5.17 was released on Sunday, March 20th; the SELinux and audit highlights are below:
Fixed an improper mutex check in the SELinux code which could have resulted in spurious warning messages.
Fixed a problem where an internal policy structure field was not properly reset after freeing, potentially leading to a double-free problem on certain error conditions.
Internal hardening improvements relating to calculating memory allocation sizes by changing code to use the struct_size() macro.
Various “house cleaning” changes to the SELinux filesystem mount hooks: removing dead code, minor code tweaks, and plugging a potential memory leak.
Renamed a LSM/SELinux hook responsible for returning the security label of the currently running task to better reflect its behavior.
Fix problems relating to record queuing and system responsiveness when “audit=1” is specified on the kernel command line and the audit daemon is SIGSTOP‘d for an extended period of time.
Ensure that processes which generate userspace records are not exempt from the kernel’s record throttling when the audit queues are being overrun.
Fix a problem when auditing the openat2() syscall which could result in improperly accessing userspace memory.
Internal hardening improvements through the use of the struct_size() macro and zero-length array to flexible-array conversions.