Linux 6.7 Merge Window

Linux v6.6 was released this past Monday, with the Linux v6.7 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus has merged into his tree.

SELinux

  • The CONFIG_SECURITY_SELINUX_DEBUG Kconfig option introduced in Linux v6.6 was enhanced to enable the SELinux debugging messages on the console by default. Those users who wish to have greater control over the SELinux debugging messages should enable Dynamic Debug.

  • A number of SELinux internal hash table related improvements were made in this kernel release. The role transition table moved to using the Jenkins hash hash function, the access vector tables allocation function was simplified, and the hash bucket sizes are now printed along with the other hash table statistics when SELinux debugging is enabled.

  • Annotate an internal data structure with a flexible array member to specify which field is used to indicate the length of the variable length field. This enables the kernel’s UBSAN and CONFIG_FORTIFY_SOURCE runtime analysis tools to perform memory bounds checking on the variable length fields.

  • SELinux policy load times were improved slightly thanks to the use of an optimized Hamming weight function when reading access vector fields in the policy.

Audit

  • Similar to SELinux, an internal data structure with a flexible array member was annotated to enable runtime bounds checking.

Linux 6.6 Released

Linux v6.6 was released on Monday, October 30th. I already wrote up a post highlighting the SELinux and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.

SELinux

  • Fix a bug that would prevent NFS submounts before the SELinux policy was loaded. This was noticeable on systems that attempted to mount a NFS filesystem in their initramfs and would often result in the following error message on the system’s console: “SELinux: Unable to set superblock options before the security server is initialized”.

Audit

  • Fix a problem where performing file open operations in io_uring could result in a reference count race condition that would result in a kernel panic in the audit pathname logging code.

  • Improve the netfilter / nf_tables audit logging by properly logging the NFT_MSG_GETOBJ_RESET and NFT_MSG_GETRULE_RESET commands.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.

Linux 6.6 Merge Window

Linux v6.5 was released this past Sunday, with the Linux v6.6 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus merged today.

SELinux

  • A poorly documented, private SELinux kernel debug macro was promoted to a proper Kconfig configuration flag, CONFIG_SECURITY_SELINUX_DEBUG. This should help both improve the visibility of the debug flag as well enable improved test coverage. We also moved some additional debug functions under the new CONFIG_SECURITY_SELINUX_DEBUG flag and I believe we may see more additions in the future.

  • We now print a message to the console on boot if the system’s configuration is such that virtual memory is executable by default.

  • Eliminated some redundant code by eliminating the avtab_search() function and converted all of the callers to use avtab_search_node().

  • Created new SELinux network auditing helper functions to both reduce code duplication and improve UDP flood performance slightly.

  • Changed how two SELinux policy load helper functions allocate memory by converting them from GFP_ATOMIC to GFP_KERNEL allocations. This should help reduce the chance for memory allocation errors on policy load.

  • Quiet a KMSAN warning in the selinux_inet_conn_request() function. The KMSAN warning was not an actual bug, but as the “fix” was a one line change in our error handling code it was deemed valuable both to quiet the warning and harden the code against future changes.

  • Various internal changes to cleanup the policy capability accessor functions, harden the kernel against type differences, and safely handle variable overflows.

  • A number of code comment and documentation cleanups to update contributor email addresses, remove outdated comments, and convert a few remaining “NSA SELinux” references to simply “SELinux”. Oddly enough, this last change seemed to catch the attention of Phoronix and I can promise the comment section does not disappoint ;)

Audit

  • We resolved a problem where certain TraceFS or DebugFS operations could result in hundreds of audit PATH records which, on aggressive system configurations, could result in a soft lockup. This is in sharp contrast to much more typical syscall operations which generate a small number, e.g. one or two, PATH records. We fixed this problem by explicitly checking if a reschedule is required when processing large number of PATH records; regular users should not notice a difference.

  • Various internal changes to remove some redundant preprocessor logic, a dummy function’s return value, and a number of style and formatting changes.