Libseccomp 2.5.0 Released

On behalf of the libseccomp project I would like to announce libseccomp v2.5.0!

The libseccomp v2.5.0 release is backwards compatible with previous v2.x releases and is a drop-in replacement; no recompilation of applications is required. Applications will need to be restarted to take advantage of the new libseccomp release. While the v2.4.x release stream will be supported for at least one more maintenance release, all users and distributions are encouraged to upgrade to libseccomp v2.5.0.

The core libseccomp library is the work of 56 contributors, and this release is a significant upgrade over the libseccomp v2.4.x release stream. The v2.5.0 release brings new support for RISC-V and seccomp user notifications along with a number of bug fixes and performance improvements. A more detailed list of changes can be seen below:

  • Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) manpages for more information
  • Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information
  • Add support for the 64-bit RISC-V architecture
  • Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables
  • Properly document the libseccomp API return values and include them in the stable API promise
  • Improvements to the s390 and s390x multiplexed syscall handling
  • Multiple fixes and improvements to the libseccomp manpages
  • Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format
  • Update the syscall tables to Linux v5.8.0-rc5
  • Python bindings and build now default to Python 3.x
  • Improvements to the tests have boosted code coverage to over 93%
  • Enable Travis CI testing on the aarch64 and ppc64le architectures
  • Add code inspection via

The SELinux Notebook

Many of you reading this are likely already aware of “The SELinux Notebook” by Richard Haines. For those of you who have not seen it before, “The SELinux Notebook” is a very comprehensive guide to SELinux that stretches from the kernel all the way up through the policy. It’s really an impressive work, made even more impressive by the fact that Richard has been kind enough to make it freely available.

In the latest 5th edition, Richard opened the book even more by converting it into Markdown and posting the book, in source form, on GitHub. This is a tremendous gift to the SELinux community, and one that I hope we will not squander. My hope is that we can turn “The SELinux Notebook” into a living document that is updated along with the code and the policies so that it continues to be the excellent resource that it is today.

If you are interested in helping contribute to “The SELinux Notebook”, there are some quick notes in the file to help you get started with the project.

Linux 5.7 Released

Linux v5.7 was released on Sunday, May 31, 2020; the SELinux and audit highlights are below:


  • Deprecate setting “/sys/fs/selinux/checkreqprot” to 1. This flag was originally created to deal with legacy userspace and the READ_IMPLIES_EXEC personality flag. We changed the default from 1 to 0 back in Linux v4.4 and now we are taking the next step of deprecating it, at some point in the future we will take the final step of rejecting 1.

  • Allow kernfs symlinks to inherit the SELinux label of the parent directory. In order to preserve backwards compatibility this is protected by the “genfs_seclabel_symlinks” SELinux policy capability.

  • Fix a problem where we were not properly handling multiple netlink messages in a single message buffer. Unfortunately this could cause some netlink messages to escape the SELinux access controls. This issue was assigned the CVE number CVE-2020-10751.

  • Enable per-file labeling for the BPF filesystem.

  • Improve how we handle initial SIDs in the kernel and remove a number that were unused.

  • Optimize how we store filename transitions in the kernel, resulting in some significant improvements to policy load times.

  • We now do a better job calculating the sizes of the internal hash tables, which improved SELinux policy load times and likely general SELinux performance as well.

  • Ensure that we properly label NFS v4.2 filesystems to avoid a temporary unlabeled condition.

  • Add some missing XFS quota command types to the SELinux quota access controls.

  • Fix a problem where we were not properly handling all read operations in selinuxfs.

  • Convert several linked lists to arrays to help with performance and improve code simplicity.


  • Stop logging inode information when updating an audit file watch. Since we are not changing the inode, or the fact that we are watching the associated file, the inode information is just noise that we can do without.

  • Fix a problem where mandatory audit records were missing their accompanying audit records (e.g. SYSCALL records were missing). The missing records often meant that we didn’t have the necessary context to understand what was going on when the event occurred. [UPDATE August 4, 2020: this patch was reverted during the Linux v5.8-rcX phase due to problems, it should reappear at a later date]

  • Fix a problem where we were not properly checking the length of audit records generated by userspace programs allowed to submit audit records due to the CAP_AUDIT_WRITE capability.