Linux 7.0 Released

12 Apr 2026 tags: audit lsm selinux

Linux v7.0 was released a few hours ago on Sunday, April 12th. Unfortunately, due to my personal schedule and some other challenges, I never had a chance to write up my usual summary of the LSM, SELinux, and audit highlights from the v7.0 merge window; thankfully LWN.net did their usual good job of summarizing both the first and second weeks of the merge window.

Below is a list of the LSM, SELinux, and audit highlights from the Linux v7.0 merge window through to the tagged release from Linus.

LSM

• Unified the security_inode_listsecurity() calls in NFSv4. While looking at the security_inode_listsecurity() LSM hook with the goal of improving the API, we realized that the NFSv4 code was making multiple calls to the LSM hook that could be consolidated into one. While this change improves the quality of the NFSv4 code, it will also enable additional future work to improve the LSM API.

• Move from kmalloc() to kmalloc_obj() and kmalloc_flex() as part of a tree-wide conversion that is described in this article from LWN.net.

• Resolved a number of Sparse warnings caused by the LSM static branch keys not being marked as static.

• Added __rust_helper annotations to the LSM and credential Rust wrapper functions.

• Removed the unsused set_security_override_from_ctx() function.

• Minor improvements to the LSM hook kdoc comment blocks.

SELinux

• Added support for applying SELinux policy to BPF tokens. This involves the addition of two new permissions to the bpf object class, map_create_as and prog_load_as, as well as a new policy capability, bpf_token_perms, to enable the new functionality. The patch author, Eric Suen, describes the change in his patch description:

  This patch adds SELinux support for controlling BPF token access. With this change, SELinux policies can now enforce constraints on BPF token usage based on both the delegating (privileged) process and the recipient (unprivileged) process.

  Supported operations currently include:

  • map_create
  • prog_load

  High-level workflow:

  1. An unprivileged process creates a VFS context via fsopen() and obtains a file descriptor.
  2. This descriptor is passed to a privileged process, which configures BPF token delegation options and mounts a BPF filesystem.
  3. SELinux records the creator_sid of the privileged process during mount setup.
  4. The unprivileged process then uses this BPF fs mount to create a token and attach it to subsequent BPF syscalls.
  5. During verification of map_create and prog_load, SELinux uses creator_sid and the current SID to check policy permissions via:

     avc_has_perm(creator_sid, current_sid, SECCLASS_BPF,
             BPF__MAP_CREATE, NULL);
     

  The implementation introduces two new permissions:

  • map_create_as
  • prog_load_as

  At token creation time, SELinux verifies that the current process has the appropriate *_as permission (depending on the allowed_cmds value in the bpf_token) to act on behalf of the creator_sid.

  Example SELinux policy:

  allow test_bpf_t self:bpf {
    map_create map_read map_write prog_load prog_run
    map_create_as prog_load_as
  };
  

  Additionally, a new policy capability bpf_token_perms is added to ensure backward compatibility. If disabled, previous behavior (checks based on current process SID) is preserved.

• As described earlier in this post, convert a number of kmalloc() calls to kmalloc_obj() and kmalloc_flex() as part of a larger tree-wide conversion.

• Removed a BUG() macro call that was no longer necessary as the error condition is now checked at kernel build time.

Audit

• Add source and destination port information to the NETFILTER_PKT audit records while consolidating much of the netfilter packet audit code into a new function which can be easily disabled when audit is not enabled at kernel build time. These changes should not only improve the usefulness of the audit logs through network port information, it should also provide a minor performance boost for systems built without audit.

• Update the audit syscall classifier code to include the listxattrat(), getxattrat(), and fchmodat2() syscalls.

• As described earlier in this post, convert a number of kmalloc() calls to kmalloc_obj() and kmalloc_flex() as part of a larger tree-wide conversion.

• A number of small, internal changes to how audit tracks and records pathnames brought about by some related work in the VFS subsystem. There should be no user visible changes.

• Move a handful of declarations in the code to resolve a number of Sparse warnings.