SELinux changes in the 2.6.15 and 2.6.16 kernels

It’s been a while since I documented the SELinux kernel changes, the last being for 2.6.14. The 2.6.16 kernel has just been released, so here’s an update for this and the previous version.

2.6.16

ptrace security bug
This patch from Stephen Smalley fixes a security flaw in the handling of ptrace within SELinux (CVE-2006-1052). Still believed to be difficult to exploit usefully, especially as DAC is still operating.

Audit dependency
Finally make SELinux depend on CONFIG_AUDIT. SELinux had been increasingly depending on the CAPP audit framework, but now it is required to log permission denials. CONFIG_AUDIT_SYSCALL is still optional, but recommended, to ensure that as much information as possible is logged. Also, be sure to check /var/log/audit/audit.log for AVC messages.

Networking dependency
Also make SELinux depend on CONFIG_SECURITY_NETWORK, i.e. the LSM network hooks, as they are required for correct operation with local networking.

Private inode Memory leak fix
A memory leak was discovered and fixed. This was due to adding support for private inodes, which some filesystems use for internal housekeeping. Such inodes are not exposed to userland and do not require SELinux mediation and a patch was previously added to LSM to bypass security processing for them. However, some private inodes are not marked private until after allocation, so LSM has passed them to SELinux to have security blobs allocated, but then not to free them.

Clean up memory protection checks
This patch cleans up the memory protection handling code, to stop them from being re-applied to already executable mappings.

Labeled networking via IPsec
Trent Jaeger’s work on IPsec labeling finally went in (also see the paper). Very briefly, this allows mandatory access control to be extended across the network, so that you can control which security domains on different systems can talk to each other. Previously, such ideas were generally implemented for MLS systems by adding security labels to IP options. This new code is a major advance in the field, as it’s not MLS specific (not even SELinux specific), and makes use of IPsec in a number of ways. Firstly, rather than labeling packets individually, the IPsec security associations are labeled, and the security label for each packet is implied from that. Also, this labeled traffic is afforded all of the protections provided by IPsec (privacy, authentication), and makes use of ISAKMP negotiation (rather than implementing a new out of band security negotiation protocol, as I did with the defunct Selopt scheme). Catherine Zhang has also been doing a lot of work in this area, and 2.6.17 should feature her getpeersec API patches, which allow applications to determine the security contexts of peers.

Miscellaneous
A bunch of minor fixes went in, including removal of security struct magic numbers (a hangover from the days when SELinux was a loadable module via LSM), and general code cleanups, such as ARRAY_SIZE fixes, XFS symlink handling and removing unneeded casts on return from kmalloc & friends.

2.6.15

listxattr() fix
Daniel Drake fixed an interesting bug using Gentoo, where listxattr() failed if the specified buffer size was exactly correct. Typically, userland probes for a buffer size with NULL/0 values first, and this was the first time that someone actually used the value returned rather than starting off with some large default value which was always larger than needed. Textbook off-by-one bug.

Canonicalize getxattr()
This patch canonicalizes the value returned from getxattr() to be the value maintained internally by the kernel. This is to help with the transition to MLS/MCS without needing to relabel the entire filesystem. In such cases, the kernel can internally add an MLS field to the security label of a file if not present in the on-disk label, and the patch causes the kernel value to override the disk value, if different. This patch has a useful side-effect of enabling getxattr() for mountpoint labeled systems, which use in-kernel labeling.

Extend selinuxfs context node
The context node in selinuxfs (usually /selinux/context) was extended to allow userland (e.g. matchpathcon) to obtain canonicalized security contexts from the kernel (related to the above).

Disable automatic xattr setting on context-mounts
Stephen Smalley add a patch to prevent xattrs from being set automatically for files in filesystems using mountpoint labeling (a.k.a. context mounts), where the security label for files within the filesystem are set via the context= mount option. This was to maintain consistency with the fact that setxattr() is denied on such filesytems.

MLS file labeling compatibility
With MCS enabled by default in FC5, the MLS component of file labels becomes active. This patch provides backwards compatibility, so that files created under FC5 which now have MLS fields will be readable when MLS is not active on older systems (obviously, the older system will need an updated kernel with this patch).

Miscellaneous
As usual, a bunch of cleanups and various maintenance fixes, including removal of a bunch of unnecessary checks for (size_t < 0) in selinuxfs, and conversion to kzalloc(), saving over 1KB of kernel text.