Linux 6.6 Merge Window

Linux v6.5 was released this past Sunday, with the Linux v6.6 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus merged today.

SELinux

• A poorly documented, private SELinux kernel debug macro was promoted to a proper Kconfig configuration flag, CONFIG_SECURITY_SELINUX_DEBUG. This should help both improve the visibility of the debug flag as well enable improved test coverage. We also moved some additional debug functions under the new CONFIG_SECURITY_SELINUX_DEBUG flag and I believe we may see more additions in the future.

• We now print a message to the console on boot if the system’s configuration is such that virtual memory is executable by default.

• Eliminated some redundant code by eliminating the avtab_search() function and converted all of the callers to use avtab_search_node().

• Created new SELinux network auditing helper functions to both reduce code duplication and improve UDP flood performance slightly.

• Changed how two SELinux policy load helper functions allocate memory by converting them from GFP_ATOMIC to GFP_KERNEL allocations. This should help reduce the chance for memory allocation errors on policy load.

• Quiet a KMSAN warning in the selinux_inet_conn_request() function. The KMSAN warning was not an actual bug, but as the “fix” was a one line change in our error handling code it was deemed valuable both to quiet the warning and harden the code against future changes.

• Various internal changes to cleanup the policy capability accessor functions, harden the kernel against type differences, and safely handle variable overflows.

• A number of code comment and documentation cleanups to update contributor email addresses, remove outdated comments, and convert a few remaining “NSA SELinux” references to simply “SELinux”. Oddly enough, this last change seemed to catch the attention of Phoronix and I can promise the comment section does not disappoint ;)

Audit

• We resolved a problem where certain TraceFS or DebugFS operations could result in hundreds of audit PATH records which, on aggressive system configurations, could result in a soft lockup. This is in sharp contrast to much more typical syscall operations which generate a small number, e.g. one or two, PATH records. We fixed this problem by explicitly checking if a reschedule is required when processing large number of PATH records; regular users should not notice a difference.

• Various internal changes to remove some redundant preprocessor logic, a dummy function’s return value, and a number of style and formatting changes.