Picture of Paul Moore

Paul Moore

© 2025 Licensed under CC BY-NC-SA 4.0

Linux 6.14 Released

04 Apr 2025 tags: audit lsm selinux

Linux v6.14 was released on Monday, March 24th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window. However, there was one additional change that went into Linux v6.14 that I missed in my merge window highlights post.

Audit

  • Add a new audit field, “nl-msgtype”, to record Netlink message types in relevant audit records.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.

Linux 6.14 Merge Window

22 Jan 2025 tags: audit lsm selinux

Linux v6.13 was released on Sunday, with the Linux v6.14 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and Audit pull requests which have been merged into Linus’ tree.

LSM

  • Migrate away from the legacy LSM secctx string label interface to a new lsm_context structure. While this presents a relatively minor change to most callers within the kernel, this improvement makes it easier to support multiple simultaneous LSMs now, and in the future when new LSMs are added.

  • Modify the LSM’s kernel build configuration to only build the LSM framework’s common audit code when both the LSM and audit subsystems are enabled. This should provide a minor build time improvement for those who build kernels with the LSM enabled but without audit support.

  • Add a sanity check to the SafeSetID policy loading functions to restrict the policy size to KMALLOC_MAX_SIZE. As SafeSetID policy rules take the form of “UID:UID”, this limit is well beyond any legitimate policy rule, and should serve to limit a number of automated fuzzing reports that we have recently received against SafeSetID.

  • A number of smaller improvements to the kernel selftests, constification of some function parameters, removing redundant assignments, and local variable renames to improve readability.

SELinux

  • Add support for SELinux extended permissions, aka “xperms”, in conditional policy blocks. This allows admins to toggle the granular xperms using SELinux booleans, helping pave the way for greater use of xperms in general purpose SELinux policies. This change bumps the maximum SELinux policy version to 34.

  • Fix a SELinux/SCTP bind(2) error code inconsistency when the “extended_socket_class” policy capability is not enabled in the loaded policy.

  • Minor change to the SELinux kernel makefile to ensure that the generated SELinux header files are properly cleaned up between kernel builds.

  • A number of smaller changes to reduce code duplication, reduce pointer lookups, migrate void pointers to defined types, simplify code, constify function parameters, and correct iterator types.

Audit

  • Fix a problem where pathnames were not being properly logged by audit in the audit PATH record. Symptoms would include a “name=(null)” entry instead of the valid file pathname. Users who have noticed missing pathnames are encouraged to try Linux v6.14-rc1, or later.

Linux 6.13 Released

22 Jan 2025 tags: audit lsm selinux

Linux v6.13 was released on Sunday, January 19th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.

LSM

  • Leverage the new get_task_comm() API to get the current task’s “comm” string as opposed to accessing it directly. While minor, this affects the LSM framework’s common auditing code as well as SELinux.

  • Minor IMA variable renaming to fix a variable name collision related to the lsm_prop changes merged during the v6.13 merge window.

SELinux

  • Make better use of the sk_to_full_sk() helper in the SELinux networking code to fix a regression caused by networking changes introduced during the v6.13 merge window.

  • Fix a problem when both the ioctl and netlink extended permissions, aka “xperms”, are used in a single domain.

  • Ignore unknown extended permissions, aka “xperms”, when loading SELinux policy. This should make it easier to support newer policies on older kernels in the future as unknown xperms will no longer result in an error.

Audit

  • Minor code shuffling to work around a GCC bug that was falsely reporting a write beyond the bounds of an object. There should be no user visible impact to this change.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.