Linux 5.13 Released
29 Jun 2021 tags: audit selinuxLinux v5.13 was released on Sunday, June 27th; the SELinux and audit highlights are below:
SELinux
- Linux v5.12 added basic SELinux policy measurements to IMA and with this kernel release support for the SELinux state variables and policy capabilities have been added. Lakshmi Ramasubramanian goes into detail in the commit description:
SELinux stores the configuration state and the policy capabilities in kernel memory. Changes to this data at runtime would have an impact on the security guarantees provided by SELinux. Measuring this data through IMA subsystem provides a tamper-resistant way for an attestation service to remotely validate it at runtime.
Measure the configuration state and policy capabilities by calling the IMA hook ima_measure_critical_data().
To enable SELinux data measurement, the following steps are required:
- Add “ima_policy=critical_data” to the kernel command line arguments to enable measuring SELinux data at boot time. For example:
BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data
- Add the following rule to /etc/ima/ima-policy
measure func=CRITICAL_DATA label=selinux
Sample measurement of SELinux state and policy capabilities:
10 2122...65d8 ima-buf sha256:13c2...1292 selinux-state 696e...303b
Execute the following command to extract the measured data from the IMA’s runtime measurements list:
grep "selinux-state" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6 | xxd -r -p
The output should be a list of key-value pairs. For example:
initialized=1;enforcing=0;checkreqprot=1;network_peer_controls=1;open_perms=1;extended_socket_class=1;always_check_network=0;cgroup_seclabel=1;nnp_nosuid_transition=1;genfs_seclabel_symlinks=0;
To verify the measurement is consistent with the current SELinux state reported on the system, compare the integer values in the following files with those set in the IMA measurement (using the following commands):
cat /sys/fs/selinux/enforce cat /sys/fs/selinux/checkreqprot cat /sys/fs/selinux/policy_capabilities/[capability_file]
Note that the actual verification would be against an expected state and done on a separate system (likely an attestation server) requiring
initialized=1;enforcing=1;checkreqprot=0;
for a secure state and then whatever policy capabilities are actually set in the expected policy (which can be extracted from the policy itself via seinfo, for example).
- Add “ima_policy=critical_data” to the kernel command line arguments to enable measuring SELinux data at boot time. For example:
- Fix a problem with SELinux/NFS where the SELinux security context was not properly considered when NFS made a decision to share a filesystem superblock. Olga Kornievskaia explains how this problem could manifest itself in the commit description:
Previously, with selinux enabled, NFS wasn’t able to do the following 2 mounts:
mount -o vers=4.2,sec=sys,context=system_u:object_r:root_t:s0 <serverip>:/ /mnt mount -o vers=4.2,sec=sys,context=system_u:object_r:swapfile_t:s0 <serverip>:/scratch /scratch
2nd mount would fail with “mount.nfs: an incorrect mount option was specified” and /var/log/messages would have: “SElinux: mount invalid. Same superblock, different security settings for..”
-
Fix a problem where the LSM hooks did not properly differentiate between the subjective and objective LSM credentials. The existing “security_task_getsecid()” LSM hook provides the task’s objective LSM credentials despite many callers expecting the subjective LSM credentials. The solution is to split the existing LSM hook into two new hooks, one for each credential type, and adjust the callers as appropriate. The new LSM hooks are named “security_task_getsecid_subj()” and “security_task_getsecid_obj()”; the “security_task_getsecid()” hook has been removed.
-
Fix a problem preventing overlayfs context mounts in an unprivileged namespace.
-
Fix a problem where we were not properly terminating the kernel internal permission list for two SELinux object classes, “bpf” and “perf_event”.
- A number of spelling corrections in the kernel source comments.
Audit
-
Remove some unused code related to the audit syscall entry filters which were removed in Linux v4.17, over three years ago.
-
Fix some compiler warnings when audit is disabled at kernel build time.
-
Minor kernel documentation updates regarding the audit related files in procfs.