Monthly Archives: March 2006

SELinux changes in the 2.6.15 and 2.6.16 kernels

It’s been a while since I documented the SELinux kernel changes, the last being for 2.6.14. The 2.6.16 kernel has just been released, so here’s an update for this and the previous version.

2.6.16

ptrace security bug
This patch from Stephen Smalley fixes a security flaw in the handling of ptrace within SELinux (CVE-2006-1052). Still believed to be difficult to exploit usefully, especially as DAC is still operating.

Audit dependency
Finally make SELinux depend on CONFIG_AUDIT. SELinux had been increasingly depending on the CAPP audit framework, but now it is required to log permission denials. CONFIG_AUDIT_SYSCALL is still optional, but recommended, to ensure that as much information as possible is logged. Also, be sure to check /var/log/audit/audit.log for AVC messages.

Networking dependency
Also make SELinux depend on CONFIG_SECURITY_NETWORK, i.e. the LSM network hooks, as they are required for correct operation with local networking.

Private inode Memory leak fix
A memory leak was discovered and fixed. This was due to adding support for private inodes, which some filesystems use for internal housekeeping. Such inodes are not exposed to userland and do not require SELinux mediation and a patch was previously added to LSM to bypass security processing for them. However, some private inodes are not marked private until after allocation, so LSM has passed them to SELinux to have security blobs allocated, but then not to free them.

Clean up memory protection checks
This patch cleans up the memory protection handling code, to stop them from being re-applied to already executable mappings.

Labeled networking via IPsec
Trent Jaeger’s work on IPsec labeling finally went in (also see the paper). Very briefly, this allows mandatory access control to be extended across the network, so that you can control which security domains on different systems can talk to each other. Previously, such ideas were generally implemented for MLS systems by adding security labels to IP options. This new code is a major advance in the field, as it’s not MLS specific (not even SELinux specific), and makes use of IPsec in a number of ways. Firstly, rather than labeling packets individually, the IPsec security associations are labeled, and the security label for each packet is implied from that. Also, this labeled traffic is afforded all of the protections provided by IPsec (privacy, authentication), and makes use of ISAKMP negotiation (rather than implementing a new out of band security negotiation protocol, as I did with the defunct Selopt scheme). Catherine Zhang has also been doing a lot of work in this area, and 2.6.17 should feature her getpeersec API patches, which allow applications to determine the security contexts of peers.

Miscellaneous
A bunch of minor fixes went in, including removal of security struct magic numbers (a hangover from the days when SELinux was a loadable module via LSM), and general code cleanups, such as ARRAY_SIZE fixes, XFS symlink handling and removing unneeded casts on return from kmalloc & friends.

2.6.15

listxattr() fix
Daniel Drake fixed an interesting bug using Gentoo, where listxattr() failed if the specified buffer size was exactly correct. Typically, userland probes for a buffer size with NULL/0 values first, and this was the first time that someone actually used the value returned rather than starting off with some large default value which was always larger than needed. Textbook off-by-one bug.

Canonicalize getxattr()
This patch canonicalizes the value returned from getxattr() to be the value maintained internally by the kernel. This is to help with the transition to MLS/MCS without needing to relabel the entire filesystem. In such cases, the kernel can internally add an MLS field to the security label of a file if not present in the on-disk label, and the patch causes the kernel value to override the disk value, if different. This patch has a useful side-effect of enabling getxattr() for mountpoint labeled systems, which use in-kernel labeling.

Extend selinuxfs context node
The context node in selinuxfs (usually /selinux/context) was extended to allow userland (e.g. matchpathcon) to obtain canonicalized security contexts from the kernel (related to the above).

Disable automatic xattr setting on context-mounts
Stephen Smalley add a patch to prevent xattrs from being set automatically for files in filesystems using mountpoint labeling (a.k.a. context mounts), where the security label for files within the filesystem are set via the context= mount option. This was to maintain consistency with the fact that setxattr() is denied on such filesytems.

MLS file labeling compatibility
With MCS enabled by default in FC5, the MLS component of file labels becomes active. This patch provides backwards compatibility, so that files created under FC5 which now have MLS fields will be readable when MLS is not active on older systems (obviously, the older system will need an updated kernel with this patch).

Miscellaneous
As usual, a bunch of cleanups and various maintenance fixes, including removal of a bunch of unnecessary checks for (size_t < 0) in selinuxfs, and conversion to kzalloc(), saving over 1KB of kernel text.

selinuxnews.org rss feed

The RSS 2.0 feed for the news side of http://selinuxnews.org/ should be working ok now.

This is the feed url: http://selinuxnews.org/wp/index.php/feed/

Works for me via Bloglines, Firefox and Lifrea. If you can’t get it to work, let me know, especially if you know how to fix it.

User registration still needs to be configured (theoretically it works out of the box, but not the way I want it). Until then, as before, if anyone wants an account for posting news items, just email me and I’ll set it up manually.

SELinux Developer Summit

Today is the SELinux Developer Summit, with about thirty core SELinux developers. It’s been interesting to see how far things have come in just the last year in terms of both the technology advances and deployments of SELinux. It’s kind of disappointing to see the media characterize SELinux as just being a Red Hat thing, when it is a long standing open source community project.

In this developer summit, there are folk from (at least):

Atsec
Hitachi Software
Penn State University
Trusted Computer Solutions
MITRE
Debian
IBM
Ubuntu
HP
NSA
Tresys

Red Hat has three developers attending (i.e. less than 10%).

The symposium itself went really well, with high quality talks including contributions from BSD folk and even Microsoft Research. I believe the proceedings will be available soon.

selinuxnews.org

selinuxnews.org logo by Máirín Duffy

Say hello to Planet SELinux, a blog aggregator for the SELinux community; and SELinux News, for SELinux developers to post news about what they’re up to.

Layout and graphic design by the amazing mizmo, a.k.a. Máirín Duffy of the Fedora Project.

The news site is in beta mode, and SELinux developers will be able to create accounts and post articles there soon. In the meantime, if you want something posted, email me. The RSS feed for the news stories also needs to be fixed.