A.12 Security

  • Add /sys/kernel/security/tomoyo/audit_interface, which generates audit logs in the form of domain policy so they can be reused and appended to domain_policy interface by the TOMOYO auditing daemon (tomoyo-auditd). TOMOYO is a kernel security module which implements mandatory access control (MAC). (3.1)

  • Add ACL group support for TOMOYO, which allows permissions to be globally granted. (3.1)

  • Add policy namespace support for LXC (Linux containers). The policy namespace has its own set of domain policy, exception policy and profiles, independent of other namespaces. (3.1)

  • Add built-in policy support needed to support enforcing mode from early in the boot sequence. (3.1)

  • Make several TOMOYO options configurable to support activating access controls without calling an external policy loader program. (3.1)

  • Permit the use of the following properties as conditions with TOMOYO: argv[], envp[], execve(), executable's real path and symlink target, owner or group of file objects, and the UID or GID of the current thread. (3.1)

  • Implement Extended Verification Module (EVM), which protects a file's security extended attributes (xattrs) against integrity attacks. (3.2)

  • Implement Smack protections for domain transition: BPRM unsafe flags, secure exec, clear unsafe personality bits, and clear parent death signal. (3.2)

  • Enhance performance of Smack rule list lookups. (3.2)

  • Allow user access to /smack/access, removing the requirement for CAP_MAC_ADMIN. (3.2)

  • Add environment variable name restriction to TOMOYO. (3.2)

  • Add socket operation restriction to TOMOYO. (3.2)

  • Add control for generation of access granted logs in TOMOYO. (3.2)

  • Allow domain transition without execve() in TOMOYO. (3.2)

  • Allow audit matching on inode gid. (3.3)

  • Allow inter-field comparison in audit rules between the gid of a running task and the gid of an inode. (3.3)

  • Add a new audit filter type AUDIT_FIELD_COMPARE to indicate which fields should be compared. (3.3)

  • Allow system call exit filter matching based on the uid of the owner of an inode used in the call. (3.3)

  • Add support for digital signature verification in EVM. File metadata can be protected using digital signatures instead of HMAC. (3.3)

  • Add a Yama Linux security module to collect DAC security improvements. (3.4)

  • Add AppArmor security module file tracking to securityfs. (3.4)

  • Add AppArmor security module initial features directory to securityfs for displaying boolean features flags and the known capability mask. (3.4)

  • Add default_type statements to SELinux. (3.5)

  • Add default source and target selectors for the user, role, and range of new objects in SELinux. (3.5)

  • Allow seek operations on the file-exposing policy used by the sesearch SELinux policy query tool. (3.5)

  • Add auditing of failed attempts to set invalid labels in SELinux. (3.5)

  • Add checking for the open permission on truncate calls to SELinux. (3.5)

  • Support long Smack labels. (3.5)

  • Set recursive transmute attribute for Smack in all cases. (3.5)

  • Allow manager programs which do not start with / in TOMOYO to handle differences between distributions. (3.5)

  • Add two modes to the Yama ptrace restrictions. (3.5)

  • Add support for invalidating a key. (3.5)

  • Implement revoking of all rules for a subject label in Smack. (3.7)

  • Allow Yama to be unconditionally stacked, regardless of which LSM module is primary. (3.7)

  • Add the Integrity Measurement Architecture, which supports audit log hashes, digital signature verification, and the integrity appraisal extension. (3.7)