Picture of Paul Moore

Paul Moore

© 2024 Licensed under CC BY-NC-SA 4.0

Linux 6.6 Merge Window

30 Aug 2023 tags: audit selinux

Linux v6.5 was released this past Sunday, with the Linux v6.6 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus merged today.

SELinux

  • A poorly documented, private SELinux kernel debug macro was promoted to a proper Kconfig configuration flag, CONFIG_SECURITY_SELINUX_DEBUG. This should help both improve the visibility of the debug flag as well enable improved test coverage. We also moved some additional debug functions under the new CONFIG_SECURITY_SELINUX_DEBUG flag and I believe we may see more additions in the future.

  • We now print a message to the console on boot if the system’s configuration is such that virtual memory is executable by default.

  • Eliminated some redundant code by eliminating the avtab_search() function and converted all of the callers to use avtab_search_node().

  • Created new SELinux network auditing helper functions to both reduce code duplication and improve UDP flood performance slightly.

  • Changed how two SELinux policy load helper functions allocate memory by converting them from GFP_ATOMIC to GFP_KERNEL allocations. This should help reduce the chance for memory allocation errors on policy load.

  • Quiet a KMSAN warning in the selinux_inet_conn_request() function. The KMSAN warning was not an actual bug, but as the “fix” was a one line change in our error handling code it was deemed valuable both to quiet the warning and harden the code against future changes.

  • Various internal changes to cleanup the policy capability accessor functions, harden the kernel against type differences, and safely handle variable overflows.

  • A number of code comment and documentation cleanups to update contributor email addresses, remove outdated comments, and convert a few remaining “NSA SELinux” references to simply “SELinux”. Oddly enough, this last change seemed to catch the attention of Phoronix and I can promise the comment section does not disappoint ;)

Audit

  • We resolved a problem where certain TraceFS or DebugFS operations could result in hundreds of audit PATH records which, on aggressive system configurations, could result in a soft lockup. This is in sharp contrast to much more typical syscall operations which generate a small number, e.g. one or two, PATH records. We fixed this problem by explicitly checking if a reschedule is required when processing large number of PATH records; regular users should not notice a difference.

  • Various internal changes to remove some redundant preprocessor logic, a dummy function’s return value, and a number of style and formatting changes.

Linux 6.5 Released

30 Aug 2023 tags: audit selinux

Linux v6.5 was released on Sunday, August 27th. I already wrote up a post highlighting the SELinux and audit changes that were submitted during the merge window, but there was one minor change worth mentioning that occurred during the release candidate process, it’s described below.

SELinux

  • A small fix to ensure that an internal data structure is properly initialized before use. Prior to this fix an error condition when loading the SELinux policy had the potential to result in a memory fault caused by walking off the end of a linked list.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.

Linux 6.5 Merge Window

30 Jun 2023 tags: audit selinux

Linux v6.4 was released this past Sunday, with the Linux v6.5 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus merged this week.

SELinux

  • Fixed a longstanding issue with MultiPath TCP (MPTCP) where the MPTCP subflows were not labeled properly. Starting in Linux v6.5, MPTCP subflows will now be correctly labeled using the main MPTCP socket instead of the currently executing task. A special thanks to Paolo Abeni, and the other MPTCP developers, for their help on this issue.

  • Fixed an issue where labeled NFS mounts that were mounted prior to the initial SELinux policy load were not properly labeled once the policy was loaded. Now these existing labeled NFS mounts are labeled using the same deferred labeling mechanisms we use for local filesystems.

  • The “fs” object context was deprecated. SELinux policy parser support for this object context was included in the original SELinux kernel patches, but the object context was never utilized and was either ignored or marked as deprecated by all of the available SELinux policy we could find.

  • We continued the SELinux makefile improvements and cleanups we started in Linux v6.4.

  • A small number of code cleanups to remove dead code and generally improve the quality of the SELinux kernel code.

Audit

  • A minor fix to resolve some missing function prototype warnings when compiling the kernel.