SELinux kernel changes in 2.6.12-mm4: new permissions for Netlink audit sockets

One new feature in this kernel (2.6.12 final still seems some way off):

Finer-grained permissions for audit events. The kernel audit subsystem uses Netlink for communication with userspace. This communication includes:

  • Transmitting audit messages to userspace (e.g. auditd).
  • Loading audit filtering rules into the kernel.
  • Controlling the kernel audit module.
  • Retrieving the status of the kernel module.
  • Relaying important user events (such as login) via the kernel module back to userspace.

Until now, Netlink communications were controlled under SELinux with the generic socket controls, and two special Netlink permissions: nlmsg_read and nlmsg_write. These permissions were used to determine whether Netlink messages, from userspace, were essentially either read or write operations. For example, listing the kernel routing table requires nlmsg_read permission for the netlink_route_socket class, but writing to it requires nlmsg_write. These two permissions provide a great deal of flexibility and control over user-kernel communication. They’re also abstracted in a simple way, “read” and “write”, with only the latter generally being considered privileged.

However, the audit subsystem has some very specific requirements based on CAPP (Controlled Access Protection Profile), where audit records need to be reliably and sequentially correlated with specific login sessions. As the kernel audit code is the source of truth for audit records, login events are sent to the kernel, allocated a sequence number then passed back to userland (typically to auditd), all via Netlink. This messaging did not fit the existing SELinux Netlink permissions, as it is not about reading or writing privileged kernel data.

Another issue arose where the listing the kernel audit rules is considered a privileged operation by the audit folk.

So, two new permissions have now been added for the netlink_audit_socket class:

nlmsg_relay Controls transmission of AUDIT_USER messages, which contain login data and are relayed back to userspace.
nlmsg_readpriv Controls transmission of AUDIT_LIST messages, which request listings of kernel audit rules.

These permissions may be useful to other classes of Netlink sockets, but are currently only valid for audit.

Other fixes in this kernel: Stephen Smalley cleaned up some of the SELinux IPC code, and Herbert Xu fixed an oops in the SELinux IPv6 packet parsing code.