18 Sep 2024 tags: audit lsm selinux Linux v6.11 was released on Sunday, September 15th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.
SELinux
-
Fix a problem where SELinux would mistakenly enforce the process:execheap permission check on systems without an established heap when a memory mapping was created that touched the expected, but non-existent, heap region.
-
Fix a problem where it was possible for NFS clients to change the SELinux security labels on files located on a NFS filesystem when root squashing is enabled.
-
Fix problems relating to how SELinux’s extended access vector rules, “xperms”, were not properly cached in the Access Vector Cache (AVC).
In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.
16 Jul 2024 tags: audit lsm selinux Linux v6.10 was released on Sunday, with the Linux v6.11 merge window opening immediately afterwards. Below are the highlights of the LSM and SELinux pull requests which have been merged into Linus’ tree. Due to the lack of audit patches queued for Linux v6.11, there is no audit pull request planned for this merge window.
LSM
- Rewrite the LSM’s inode extended attribute, aka xattr, control points to resolve an issue involving capabilities where legacy behaviors were impacting the support of multiple simultaneous LSMs. The LSM framework, as well as the associated SELinux and Smack code, was changed to preserve their existing behavior with capabilities while also improving the robustness of the code in the face of multiple active LSMs.
SELinux
- Fix the type of a pre-processor constant to better match its use. This should have no impact other than improved code quality and reduced risk of problems should the associated code change in the future.
15 Jul 2024 tags: audit lsm selinux Linux v6.10 was released on Sunday, July 14th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.
LSM
-
Resolve a potential kernel panic caused by blocking allocations in the IMA code while in a RCU critical section. The blocking allocation causes a premature end to the critical section which can result in a use-after-free fault in some situations.
-
Improvements to the extended attribute (xattr) copy-up code to allow LSMs to decide if an xattr should be copied up based on a combination of the xattr name and context. Previously LSMs were limited to making copy-up decisions based solely on the xattr name. This should allow for better LSM support on composite filesytems such as overlayfs.
In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.
