Linux 4.10 Released22 Feb 2017 tags: audit selinux
Linux v4.10 was released this past weekend on Sunday, February 19th; this is a quick summary of the SELinux and audit changes.
Fix a GFS2/SELinux deadlock where one task is initializing an inode while another task is invalidating the SELinux label on the same inode. The fix involved changing the SELinux inode_security_struct lock from a mutex to a spinlock and introducing a new SELinux label state, "PENDING". These two changes allow SELinux to mark a pending inode initialization and detect if the inode's label was invalidated during the initialization process.
Add a build time check to catch the addition of new capabilities and force an update to the associated SELinux code. The simple fix was to compare the CAP_LAST_CAP sentinel value with the last known defined capability and cause a compilation failure, via the "#error" compiler directive, when there is a mismatch.
Normalize input to /sys/fs/selinux/enforce so that the stored value is only ever 1 (true) or 0 (false). This change should have no impact to the kernel, it only checks for non-zero (true) or 0 (false), but some userspace tools check for a value of 1 instead of a non-zero true value.
Fix a problem where clearing /proc/self/attr/fscreate could result in an unwanted kernel memory access (CVE-2017-2618).
A number of minor improvements and cleanups to the SELinux inode handling.
Major rework of the audit backlog queue which moves the audit multicast writes from the thread of the task which generates the event to a separate kernel thread, much like we do for the audit unicast/auditd messages. Moving the multicast writes had a ripple effect on the entire audit queuing mechanism which brought about a number of improvements which should reduce the per-task audit overhead when audit is enabled, and help make audit more robust under heavy load.
Add kernel support for audit filtering based on the session ID. See the GitHub feature page for more information.
Fix audit's use of fsnotify to prevent sleeping on a spinlock. The fix involved making sure that the proper lock ordering was followed, meaning that we took the fsnotify_group's mutex before taking the fsnotify_mark's spinlock.
Fix a problem where audit was needlessly duplicating fsnotify_mark structures and leaking a reference to the associated fsnotify group.
Fix a problem where the kernel wasn't properly holding a reference for the auditd communication socket which could result in a race condition when resetting the connection with auditd.
Ensure consistent logging of the CONFIG_CHANGE audit record. The record's "op" field is not encoded so the value should not be surrounded with double quotes.