Linux 6.10 Merge Window

Linux v6.9 was released last week, with the Linux v6.10 merge window opening immediately afterwards. Below are the highlights of the LSM and SELinux pull requests which have been merged into Linus’ tree. Due to the lack of audit patches queued for Linux v6.10, there is no no audit pull request planned for this merge window.

LSM

  • Minor cross-LSM update to remove empty sentinel values from the ctl_table arrays.

  • Minor updates to the LSM, or “LINUX SECURITY SUBSYSTEM”, entry into the kernel’s MAINTAINERS file to more accurately reflect the LSM files.

SELinux

  • Attempt to pre-allocate the SELinux status page so it doesn’t appear to userspace, via the SELinux netlink socket or the getpolicyload tool, that we are skipping SELinux policy sequence numbers.

  • Additional error checking for SELinux policy bitmaps at policy load time; invalid bitmaps will result in a failed policy load and an error returned to the user.

  • Improve the consistency of variable types used to represent SELinux policy bitmap offsets; the u32 type is now used everywhere. We also corrected a number of printk() format specifiers used when displaying bitmap information.

  • Improve the SELinux symbol table hashing function performance and distribution by moving to the djb2a hash function.

  • Added additional debug statistics for the conditional rules access vectors, role transitions, object class, and common permission hash tables.

  • Minor cleanups and improvements as well as improved error handling in multiple SELinux internal kernel functions.

Linux 6.9 Released

Linux v6.9 was released on Sunday, May 12th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.

LSM

  • Change the size_t parameter types in the new LSM syscalls to u32 to avoid differences between 32-bit and 64-bit systems. This change was backported to the Linux v6.8 stable kernel.

  • Fix a problem where passing a NULL buffer into the lsm_get_self_attr(2) syscall via the ctx parameter resulted in an error. Passing a NULL buffer should result in success with the minimum necessary buffer size returned to the caller via the size parameter.

  • Fix a problem caused during the IMA and EVM LSM promotion that could result in a kernel panic during certain mknod(2) operations.

SELinux

  • Fix a problem where a failed selinuxfs mount could result in an invalid memory access.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.

Linux 6.9 Merge Window

Linux v6.8 was released this past Sunday, with the Linux v6.9 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which Linus has merged into his tree.

LSM

  • The Linux Integrity Subsystem, more commonly known as IMA, or IMA/EVM, has been integrated into the LSM framework. Prior to the start of the LSM stacking work it was important that IMA/EVM remain separate from the rest of the LSMs as it was the only way to enable IMA/EVM at the same time as a LSM, e.g. SELinux. However, now that the bulk of the LSM infrastructure supports multiple simultaneous LSMs, it is possible to integrate both IMA and EVM into the LSM framework as proper LSMs. This moves simplifies the IMA/EVM, LSM, and core Linux kernel code and helps us reduce the likelihood of future bugs. A special thanks to Roberto Sassu for helping turn a long standing wish of mine into reality.

  • Internal improvements relating to how we stack multiple LSMs for a subset of the LSM access control hooks. Many LSM hooks that return an integer value to indicate success or failure used the call_int_hook() macro which required callers to specify a default return value, despite their already being a default return value specified during LSM hook declaration. Unfortunately, there were several cases where these return values were mismatched which triggered buggy behavior in some configurations, specifically those that made use of BPF LSMs. The call_int_hook() macro has been updated to remove the need for the caller to specify a default return value, instead using the value specified when the LSM hook was declared.

  • A number of grammar corrections to the LSM hook documentation in the source code comments.

SELinux

  • No longer restrict extended attribute copy-up when SELinux is enabled but a policy has not yet been loaded. This helps systems that use overlayfs, or similar filesystems, preserve their SELinux labels during early boot when the SELinux policy has yet to be loaded.

  • Fix a problem where the error codes were not consistent across the selinux_socket_getpeersec_dgram() and selinux_socket_getpeersec_stream() functions. The error code inconsistency could lead to confusion among users and applications attempting to determine the SELinux network peer information across labeled networks.

  • Remove a redundant SELinux object class lookup/calculation at inode initialization time. The computing overhead associated with the unnecessary work was rather small, meaning any performance improvements should be minimal.

  • Continue the coding style fixes started in Linux v6.8, this time focusing on the “security/selinux/ss” directory.

Audit

  • Instead of using the kmem_cache_create() function to create the slab audit buffer cache, use the KMEM_CACHE() according to the guidance in the kernel’s header files.

  • Minor change to remove an unnecessary variable initialization during its declaration.