Picture of Paul Moore

Paul Moore

© 2025 Licensed under CC BY-NC-SA 4.0

Linux 6.18 Merge Window

02 Oct 2025 tags: audit lsm selinux

Linux v6.17 was released on Sunday, September 29th, with the Linux v6.18 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

  • Management of the BPF LSM security blobs was moved into the LSM framework. Previously the LSM security blobs were managed by SELinux as it was the only LSM with BPF access controls. Moving the blob lifecycle managment to the LSM framework enables other LSMs to implement their own BPF access controls or observation implementations.

  • Convert the LSM block device security blob allocator to use the existing allocator helper function. This should have no effect on users, but helps reduce code duplication and ease maintenance of the code moving forward.

  • Update the Rust credentials code to use sync::aref. This is part of a larger effort to move the Rust kernel code over the sync module.

SELinux

  • Support per-file labeling on functionfs, a pseudo-filesystem that can be used to implement USB gadget drivers.

  • Convert sel_read_bool() to use a small stack buffer instead of a memory page allocated via get_zeroed_page(). There are a limited number of pages available via get_zeroed_page(), migrating SELinux away from these pages helps ensure that system does not exhaust this limited resource.

  • Make better use of the network helper functions to retrieve the sock associated with a network packet. While this has no real effect on the code, it does make it cleaner and easier to maintain.

  • Remove some unused and redundant code.

Audit

  • Create a new AUDIT_MAC_TASK_CONTEXTS audit record to log all of the LSM labels associated with a task on a system with multiple LSMs enabled. Casey Schaufler, the patch’s author, provides an example and an explanation of when the record may be generated in the patch’s description:

    Create a new audit record AUDIT_MAC_TASK_CONTEXTS. An example of the MAC_TASK_CONTEXTS record is:

     type=MAC_TASK_CONTEXTS
   msg=audit(1600880931.832:113)
   subj_apparmor=unconfined
   subj_smack=_

    When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the “subj=” field in other records in the event will be “subj=?”. An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context.

  • Similar to the new AUDIT_MAC_TASK_CONTEXTS record, create a new AUDIT_MAC_OBJ_CONTEXTS audit record to log all of the LSM labels associated with an object on a system with multiple LSMs enabled. Casey Schaufler, the patch’s author, describes the work in the patch description:

    Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS record is:

    type=MAC_OBJ_CONTEXTS
  msg=audit(1601152467.009:1050):
  obj_selinux=unconfined_u:object_r:user_home_t:s0

    When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the “obj=” field in other records in the event will be “obj=?”. An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context.

  • Ensure that fanotify events are always generated. Previously fanotify events were only logged when audit was explicitly configured, in contrast to the Linux audit convention where security relevant events are always logged.

  • Minor comment and coding style fixes.

Linux 6.17 Released

29 Sep 2025 tags: audit lsm selinux

Linux v6.17 was released on Sunday, September 28th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window. However, there were additional changes that went into Linux v6.17 that are described below.

LSM

  • Added two new LSM hooks, security_inode_file_getattr() and security_inode_file_setattr(), to gate the FS_IOC_FSGETXATTR and FS_IOC_FSSETXATTR ioctls and their corresponding file_getattr(2) and file_setattr() syscalls. At present, only SELinux provides access controls for these new LSM hooks using the existing setattr and getattr file object permissions.

Audit

  • Fixed a potential out-of-bounds read in the audit pathname comparison code.

Linux 6.17 Merge Window

30 Jul 2025 tags: audit lsm selinux

Linux v6.16 was released on Sunday, July 27th, with the Linux v6.17 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

  • Nicolas Bouchinet and Xiu Jianfeng have volunteered to maintain the Lockdown LSM. Unfortunately, the Lockdown LSM had been unmaintained since its original inclusion in Linux v5.4, almost six years ago, and I had growing concerns about its current effectiveness given the lack of care and support. With Lockdown now being actively maintained, I’m hopeful that this situation will improve.

SELinux

  • Add support for a new neveraudit per-domain flag which prevents all auditing of the associated domain. While there is some overlap with the existing dontaudit flag, the neveraudit flag applies to all auditing and when combined with the permissive domain flag, as one might do for an unconfined domain such as “unconfined_t”, we can perform some significant performance optimizations for certain operations. The optimizations included in Linux v6.17 will be limited to a subset of inode operations, and unlike the path walk optimizations in Linux v6.16, these optimizations will require policy support, therefore the improvements may not be visible on standard Linux distributions for some time.

  • Added a five second delay when using the “/sys/fs/selinux/user” API. This interface was removed from the SELinux userspace tools and libraries in 2020 and marked as deprecated in Linux v6.13. While it is unlikely that any modern Linux distribution shipping a modern Linux kernel and userspace would still be using this API, the five second delay in conjunction with the existing deprecation warning, should help us identify any users which we have not yet been able to reach.

  • Minor changes to the SELinux hash table allocator to quiet allocation failures brought about when loading absurdly large SELinux policies into the kernel. Prior to this change the SELinux kernel code handled these allocation failures gracefully, returning an error, but a warning was displayed on the system’s console in some configurations which was causing problems with some automated test systems, e.g. syzbot. This change simply quiets these allocation failure warnings.

  • Remove some unnecessary cleanup code in the selinuxfs pseudo filesystem implementation.

  • Update the in-kernel SELinux documentation with pointers to additional information in the SELinux project’s GitHub organization.

Audit

  • Fix a regression where some failed kernel module load operations were not properly logged by the kernel’s audit subsystem.