Picture of Paul Moore

Paul Moore

© 2026 Licensed under CC BY-NC-SA 4.0

Linux 7.1 Merge Window

14 Apr 2026 tags: audit lsm selinux

Linux v7.0 was released on Sunday, April 12th, with the Linux v7.1 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

  • A LSM security blob was added to the backing_file structure, along with the associated LSM management hooks, as well as a new hook for controlling the memory mapping of an overlayfs backing file to resolve problems with the mmap(2) and mprotect(2) operations on overlayfs files. Those LSMs which enforce memory mapping access controls on overlayfs files will likely need to be use these new additions to ensure proper security policy enforcement.

  • Minor changes to leverage kstrdup_const() and kfree_const() in securityfs.

  • A number of small kernel-doc warnings were fixed.

SELinux

  • Updated the existing SELinux mmap(2) and mprotect(2) access control implementations to leverage the new LSM additions and ensure that security policies involving overlayfs files are properly enforced. Unlike traditional filesystems where only the process acting on the file must have the necessary permissions for an action to succeed, on overlayfs files not only must the process acting on the user visible file have the necessary permissions, but the filesystem’s mounting process must also have the necessary permissions on the underlying backing file.

  • A known, and harmless, race condition was annotated to quiet a KCSAN warning.

Audit

  • Additional input checking was added to catch unknown AUDIT_SET requests sent from userspace. Current kernels silently ignore any AUDIT_SET requests that were not understood and only returned an error if any of the known requests failed. This makes it difficult for userspace tools to determine what a given kernel supports in an AUDIT_SET request. Starting with Linux v7.1 if an AUDIT_SET request is made where at least one portion of the request is unknown, an -EINVAL error code will be returned to the user.

  • A number of small style and formatting cleanups to the audit kernel code.

Linux 7.0 Released

12 Apr 2026 tags: audit lsm selinux

Linux v7.0 was released a few hours ago on Sunday, April 12th. Unfortunately, due to my personal schedule and some other challenges, I never had a chance to write up my usual summary of the LSM, SELinux, and audit highlights from the v7.0 merge window; thankfully LWN.net did their usual good job of summarizing both the first and second weeks of the merge window.

Below is a list of the LSM, SELinux, and audit highlights from the Linux v7.0 merge window through to the tagged release from Linus.

LSM

  • Unified the security_inode_listsecurity() calls in NFSv4. While looking at the security_inode_listsecurity() LSM hook with the goal of improving the API, we realized that the NFSv4 code was making multiple calls to the LSM hook that could be consolidated into one. While this change improves the quality of the NFSv4 code, it will also enable additional future work to improve the LSM API.

  • Move from kmalloc() to kmalloc_obj() and kmalloc_flex() as part of a tree-wide conversion that is described in this article from LWN.net.

  • Resolved a number of Sparse warnings caused by the LSM static branch keys not being marked as static.

  • Added __rust_helper annotations to the LSM and credential Rust wrapper functions.

  • Removed the unsused set_security_override_from_ctx() function.

  • Minor improvements to the LSM hook kdoc comment blocks.

SELinux

  • Added support for applying SELinux policy to BPF tokens. This involves the addition of two new permissions to the bpf object class, map_create_as and prog_load_as, as well as a new policy capability, bpf_token_perms, to enable the new functionality. The patch author, Eric Suen, describes the change in his patch description:

    This patch adds SELinux support for controlling BPF token access. With this change, SELinux policies can now enforce constraints on BPF token usage based on both the delegating (privileged) process and the recipient (unprivileged) process.

    Supported operations currently include:

    • map_create
    • prog_load

    High-level workflow:

    1. An unprivileged process creates a VFS context via fsopen() and obtains a file descriptor.
    2. This descriptor is passed to a privileged process, which configures BPF token delegation options and mounts a BPF filesystem.
    3. SELinux records the creator_sid of the privileged process during mount setup.
    4. The unprivileged process then uses this BPF fs mount to create a token and attach it to subsequent BPF syscalls.
    5. During verification of map_create and prog_load, SELinux uses creator_sid and the current SID to check policy permissions via: 
      avc_has_perm(creator_sid, current_sid, SECCLASS_BPF,
        BPF__MAP_CREATE, NULL);

    The implementation introduces two new permissions:

    • map_create_as
    • prog_load_as

    At token creation time, SELinux verifies that the current process has the appropriate *_as permission (depending on the allowed_cmds value in the bpf_token) to act on behalf of the creator_sid.

    Example SELinux policy:

    allow test_bpf_t self:bpf {
  map_create map_read map_write prog_load prog_run
  map_create_as prog_load_as
};

    Additionally, a new policy capability bpf_token_perms is added to ensure backward compatibility. If disabled, previous behavior (checks based on current process SID) is preserved.

  • As described earlier in this post, convert a number of kmalloc() calls to kmalloc_obj() and kmalloc_flex() as part of a larger tree-wide conversion.

  • Removed a BUG() macro call that was no longer necessary as the error condition is now checked at kernel build time.

Audit

  • Add source and destination port information to the NETFILTER_PKT audit records while consolidating much of the netfilter packet audit code into a new function which can be easily disabled when audit is not enabled at kernel build time. These changes should not only improve the usefulness of the audit logs through network port information, it should also provide a minor performance boost for systems built without audit.

  • Update the audit syscall classifier code to include the listxattrat(), getxattrat(), and fchmodat2() syscalls.

  • As described earlier in this post, convert a number of kmalloc() calls to kmalloc_obj() and kmalloc_flex() as part of a larger tree-wide conversion.

  • A number of small, internal changes to how audit tracks and records pathnames brought about by some related work in the VFS subsystem. There should be no user visible changes.

  • Move a handful of declarations in the code to resolve a number of Sparse warnings.

Linux 6.19 Released

06 Apr 2026 tags: audit lsm selinux

With Linux v6.19 being released on Sunday, February 8th, this post is much later than usual. However, there were only a few small LSM and SELinux changes beyond what was mentioned in my post about the merge window changes, the highlights are below.

LSM

  • The LSM initialization rework merged during the Linux v6.19 merge window introduced a regression causing the procfs file “/proc/sys/vm/mmap_min_addr” to disppear when CONFIG_SECURITY was not enabled at compile time. The final release of Linux v6.19 fixes this problem by ensuring that the “/proc/sys/vm/mmap_min_addr” is present regardless of the CONFIG_SECURITY configuration.

  • There were a number of small changes made to securityfs as part of a much larger VFS effort. These changes were focused on implementation improvements and should no result in any user visible changes.

SELinux

  • Much like the securityfs chanes mentioned above, there were a number of similar, small changes made to selinuxfs. Once again, none of these changes should be visible to users.