Linux 6.7 Merge Window

Linux v6.6 was released this past Monday, with the Linux v6.7 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus has merged into his tree.

SELinux

• The CONFIG_SECURITY_SELINUX_DEBUG Kconfig option introduced in Linux v6.6 was enhanced to enable the SELinux debugging messages on the console by default. Those users who wish to have greater control over the SELinux debugging messages should enable Dynamic Debug.

• A number of SELinux internal hash table related improvements were made in this kernel release. The role transition table moved to using the Jenkins hash hash function, the access vector tables allocation function was simplified, and the hash bucket sizes are now printed along with the other hash table statistics when SELinux debugging is enabled.

• Annotate an internal data structure with a flexible array member to specify which field is used to indicate the length of the variable length field. This enables the kernel’s UBSAN and CONFIG_FORTIFY_SOURCE runtime analysis tools to perform memory bounds checking on the variable length fields.

• SELinux policy load times were improved slightly thanks to the use of an optimized Hamming weight function when reading access vector fields in the policy.

Audit

• Similar to SELinux, an internal data structure with a flexible array member was annotated to enable runtime bounds checking.