Picture of Paul Moore

Paul Moore

© 2024 Licensed under CC BY-NC-SA 4.0

Linux 6.7 Released

11 Jan 2024 tags: audit selinux

Linux v6.7 was released on Sunday, January 7th. I already wrote up a post highlighting the SELinux and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.

SELinux

  • Minor changes to the SELinux credential code as part of the larger effort to remove CONFIG_DEBUG_CREDENTIALS. This should have little to no effect on SELinux.

Audit

  • Remove a WARN_ON_ONCE() based warning in the audit exe filter code as it was causing a lot of scary looking, but harmless, warnings on the console when exe filtering was used in conjunction with some eBPF programs.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.

Linux 6.7 Merge Window

02 Nov 2023 tags: audit selinux

Linux v6.6 was released this past Monday, with the Linux v6.7 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus has merged into his tree.

SELinux

  • The CONFIG_SECURITY_SELINUX_DEBUG Kconfig option introduced in Linux v6.6 was enhanced to enable the SELinux debugging messages on the console by default. Those users who wish to have greater control over the SELinux debugging messages should enable Dynamic Debug.

  • A number of SELinux internal hash table related improvements were made in this kernel release. The role transition table moved to using the Jenkins hash hash function, the access vector tables allocation function was simplified, and the hash bucket sizes are now printed along with the other hash table statistics when SELinux debugging is enabled.

  • Annotate an internal data structure with a flexible array member to specify which field is used to indicate the length of the variable length field. This enables the kernel’s UBSAN and CONFIG_FORTIFY_SOURCE runtime analysis tools to perform memory bounds checking on the variable length fields.

  • SELinux policy load times were improved slightly thanks to the use of an optimized Hamming weight function when reading access vector fields in the policy.

Audit

  • Similar to SELinux, an internal data structure with a flexible array member was annotated to enable runtime bounds checking.

Linux 6.6 Released

01 Nov 2023 tags: audit selinux

Linux v6.6 was released on Monday, October 30th. I already wrote up a post highlighting the SELinux and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.

SELinux

  • Fix a bug that would prevent NFS submounts before the SELinux policy was loaded. This was noticeable on systems that attempted to mount a NFS filesystem in their initramfs and would often result in the following error message on the system’s console: “SELinux: Unable to set superblock options before the security server is initialized”.

Audit

  • Fix a problem where performing file open operations in io_uring could result in a reference count race condition that would result in a kernel panic in the audit pathname logging code.

  • Improve the netfilter / nf_tables audit logging by properly logging the NFT_MSG_GETOBJ_RESET and NFT_MSG_GETRULE_RESET commands.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.