Linux 6.12 Merge Window
19 Sep 2024 tags: audit lsm selinuxLinux v6.11 was released on Sunday, with the Linux v6.12 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and Audit pull requests which have been merged into Linus’ tree.
LSM
-
Introduce the Integrity Policy Enforcement (IPE) LSM. IPE provides a mechanism that administrators can use to restrict execution to only those binaries which come from integrity protected storage, e.g. a dm-verity protected filesystem. The IPE patchset included a good deal of documentation on how IPE works as well as how to configure it, once Linux v6.12 is released the documentation should be available for viewing online.
-
Convert the LSM framework to use static calls instead of the traditional function pointer approach, which should result in a modest performance improvement for most workloads. While the vast majority of the LSM callbacks are now done with static calls, there are a few which continue to use function pointers due to the complexity involved; we may revisit that effort in a future Linux kernel release.
-
Move the lifecycle management of the various kernel object’s LSM state from the individual LSMs to the LSM framework itself. Not only does this help eliminate a lot of redundant code across the LSMs, it makes it much easier to properly support multiple simultaneous LSMs. All of the LSM kernel object state is now managed by the LSM framework with the exception of the XFRM (IPsec) LSM state, which was skipped due to its complexity, we may revisit LSM state management for XFRM objects in the future.
-
Fix problems with the F_SETOWN fcntl(2) operator where the LSM was not properly protected against race conditions and not synchronized with the discretionary access control logic. This could result in incorrect or invalid F_SETOWN LSM state attached to a file descriptor.
-
Fix a potential problem relating to how the LSM interacts with the VFS subsystem when an inode is freed. Due to complexities in the inode locking mechanisms, notably the use of RCU, and the placement of the LSM hook associated with freeing the inode, an additional LSM callback was added to the
security_inode_free()LSM hook. This allows LSMs to have a callbacks both when the inode is initially marked for release, viacall_rcu()or similar, and when the associated LSM state is safe to be freed. -
Two LSM hooks,
security_inode_copy_up_xattr()andsecurity_vm_enough_memory_mm()were refactored to follow the common Linux kernel convention of returning 0 on success and negative error codes on failure. This change not only helps prevent accidental misuse or bad interpretations of these hook’s return values, it also helps the eBPF verifier verify that BPF LSM programs are “safe” to execute. -
A number of small cleanups and minor improvements to remove redundant code, make better use of helper functions, and fix coding style problems.
SELinux
-
Fix a bug where SELinux did not properly initialize the NetLabel socket state for IPv6 connections.
-
Annotate the SELinux inode initialization code to avoid a spurious KCSAN warning.
-
A number of small cleanups and minor improvements to simplify some SELinux logic and fix some minor coding style problems.
Audit
- Finish the transition to using the kernel Thread Group ID (TGID) in place of the normal Process ID (PID) in the audit logs and filters. In almost all cases the TGID is what most users think of when they think of a PID, as explained in the getpid(2) manpage:
From a kernel perspective, the PID (which is shared by all of the threads in a multithreaded process) is sometimes also known as the thread group ID (TGID).