Added a number of additional validations to the SELinux policy parsing and loading code. Not only does this help ensure only valid policies are loaded into the kernel, it will also help administrators identify and correct faulty SELinux policies at load time.

Removed nontransitive comparisons in the SELinux sorting code to help ensure predictable sorting results. Qualys documented a similar issue in glibc’s qsort code with a detailed explanation of the problem and the fix.

Updated the code to consistently use the u16 type for SELinux security classes.

Moved some memory page allocations to use kmalloc() based allocations. This change should increase scalability and open the door to additional debugging mechanisms. Expect more work in this area in the next Linux kernel release.

Move from kmalloc_objs() to kzalloc_objs() in the SELinux policy loading code. This should help protect the kernel against ill-formed policies.

Reorder some of the processing in sel_kill_sb() to better match other pseudo-filesystems.

Simplify the code with the use of QSTR() instead of QSTR_INIT().

Minor comment fixes.

Fixed a recursive deadlock when duplicating executable file rules. The fix involved passing resolved inodes through the audit code to avoid triggering additional inode lookups and potentially causing a deadlock.

Fixed a problem where it was not possible to delete an executable file watch after the file was deleted. The fix involved removing a negative dentry check that was preventing the kernel looking up the file watch associated with deleted file.

Updated the code to consistently use the unsigned int type instead of unsigned.

Added a new LSM hook, security_unix_find(), to allow pathname based LSMs such as AppArmor and Landlock, to enforce access controls on named UNIX socket connections using the socket’s pathname.

Fixed a problem where we were not taking the credential mutex when updating the current task’s LSM attributes using the lsm_set_self_attr(2) syscall.

Finished the deprecation and removal of the “/sys/fs/selinux/user” API which was used to list the SELinux security contexts that were reachable for a given user and starting context. The last known user, libselinux, stopped using this API in 2020 and the removal was scheduled for December 2025 or later. While the “/sys/fs/selinux/user” file still exists, writing to it has no effect other than to write a single error message to the system’s console.

While the “/sys/fs/selinux/checkreqprot” and “/sys/fs/selinux/disable” APIs have been deprecated and made ineffective for some time, writing to those files would still trigger some kernel code. Starting with Linux v7.1 that code has been removed and writing to those files will only trigger a single error message on the system’s console.

Fixed a problem where the per-task directory access cache introduced in Linux v6.16 was incorrectly caching information that controlled the generation of AVC audit records, leading to potentially missing audit records in some circumstances.

Fixed a problem where SELinux was not properly accessing the SELinux state associated with a socket object in the kernel, leading to potential conflicts with other LSM simultaneously running on the system.

Fixed a problem where SELinux would always reserve an extended attribute slot even if wasn’t going to be used. As the kernel stops parsing the list of extended attributes when it encounters an empty slot, depending on the system’s configuration there was a possibility that SELinux could obscure the extended attributes of other LSMs.

Enabled multiple opens of “/sys/fs/selinux/policy” whereas previously only a single open was allowed across the entire system. The related code quality was also improved by shrinking locked sections and removing unnecessary BUG() macros.

Improved the code quality in the SELinux policy loading code by shrinking the locked section.

Fixed a problem where the inheritable capability set was incorrectly logged in the audit CAPSET records. The effective capability set was mistakenly recorded as the inheritable set.

Fixed a problem where the audit configuration lock was not properly enforced on the AUDIT_TRIM and AUDIT_MAKE_EQUIV operations.

A LSM security blob was added to the backing_file structure, along with the associated LSM management hooks, as well as a new hook for controlling the memory mapping of an overlayfs backing file to resolve problems with the mmap(2) and mprotect(2) operations on overlayfs files. Those LSMs which enforce memory mapping access controls on overlayfs files will likely need to be use these new additions to ensure proper security policy enforcement.

Minor changes to leverage kstrdup_const() and kfree_const() in securityfs.

A number of small kernel-doc warnings were fixed.

Updated the existing SELinux mmap(2) and mprotect(2) access control implementations to leverage the new LSM additions and ensure that security policies involving overlayfs files are properly enforced. Unlike traditional filesystems where only the process acting on the file must have the necessary permissions for an action to succeed, on overlayfs files not only must the process acting on the user visible file have the necessary permissions, but the filesystem’s mounting process must also have the necessary permissions on the underlying backing file.

A known, and harmless, race condition was annotated to quiet a KCSAN warning.

Additional input checking was added to catch unknown AUDIT_SET requests sent from userspace. Current kernels silently ignore any AUDIT_SET requests that were not understood and only returned an error if any of the known requests failed. This makes it difficult for userspace tools to determine what a given kernel supports in an AUDIT_SET request. Starting with Linux v7.1 if an AUDIT_SET request is made where at least one portion of the request is unknown, an -EINVAL error code will be returned to the user.

A number of small style and formatting cleanups to the audit kernel code.