29 May 2025 tags: audit lsm selinux Linux v6.15 was released on Sunday, May 25th, with the Linux v6.16 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.
LSM
- Move the
security_netlink_send() LSM hook under the Kconfig CONFIG_SECURITY_NETWORK tunable.
SELinux
-
Reduce the SELinux impact on path walks through the addition of a small directory access cache to the per-task SELinux state. This cache allows SELinux to cache the most recently used directory access decisions in order to avoid repeatedly querying the Access Vector Cache (AVC) on path walks where the majority of the directories have similar security contexts/labels. Crude performance measurements taken prior to this patch indicated that time spent in the SELinux code on a make allmodconfig run was 103% that of __d_lookup_rcu(), and with this patch the time spent in the SELinux code dropped to 63% of __d_lookup_rcu(), a ~40% improvement.
-
Add support for wildcards in genfscon policy statements as opposed to the current prefix matching approach. Adding wilcard support allows for more expressive and efficient path matching in the policy which is especially helpful for filesystems such as sysfs. Early work has shown a ~15% boot time reduction on Android. SELinux policies can opt into wilcard matching by enabling the genfs_seclabel_wildcard policy capability.
-
Unify the out of memory error handling of the SELinux network and InfiniBand object caches to ensure that cache allocation failures still return the object label and do not fail the operation. While the object label may not be cached in this case, future object lookups will continue to attempt to cache the object’s label.
-
Minor improvements around constification, ‘likely’ annotations, and removal of bogus code comments.
Audit
-
Always record AUDIT_ANOM events when auditing is enabled. Prior to this change AUDIT_ANOM events were only recorded if auditing was enabled and the admin/distro had explicitly configured audit beyond the defaults.
-
Annotate the audit_log_vformat() function with the __printf() attribute to quiet warnings on modern GCC compilers.
28 May 2025 tags: audit lsm selinux Linux v6.15 was released on Sunday, May 25th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window. However, there were additional changes that went into Linux v6.15 that are described below.
LSM
- Minor changes to the
security_bpf() LSM hook, and associated SELinux callback, to support future work on BPF signature validation.
Audit
- Minor updates to the audit filesystem watch code to reflect changes in the VFS subsystem.
In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.
06 Apr 2025 tags: audit lsm selinux Linux v6.14 was released two weeks ago on March 24th, with the Linux v6.15 merge window opening immediately afterwards. Below are the highlights of the LSM and SELinux pull requests which have been merged into Linus’ tree. There were no patches queued in the audit tree for Linux v6.15.
LSM
-
While only tangentially related to the LSM framework, due to a lack of a clear maintainer for the Linux kernel’s credentials code, I have volunteered to serve in that role and Serge Hallyn has volunteered to serve as a formal reviewer. Considering the relatively low volume of credential related patches, I plan to accept the patches into the LSM tree, but this could change in the future if the volume increases.
-
Minor updates to the Rust LSM and credentials bindings, fixing code comments and inlining several methods.
-
Remove an unused parameter from the security_perf_event_open() LSM hook.
SELinux
-
Add a new LSM hook and SELinux implementation to the io_uring_allowed() function. The new SELinux permission, io_uring/allowed, controls the ability of the currently running SELinux domain to use the io_uring_setup(2) syscall.
-
Add additional SELinux access controls for kernel file reads and loads from userspace. The new controls add support for firmware images via the system/firmware_load permission, kexec kernels via system/kexec_image_load, kexec initramfs images via system/kexec_initramfs_load, system policies via system/policy_load, and X.509 certificates via system/x509_certificate_load.
-
Add the file/watch_mountns permission to control access to watching for changes to the mount namespace. Changes include the addition of a new filesystem mount, removal of an existing mount, or moving a mount in a namespace.
-
Add support for network interface name wildcard matching in SELinux policy. This makes it easier for policy developers to support tools which auto generate network interfaces according to a pattern, e.g. nic0, nic1, nic2, etc. In order to enable the wildcard matching in the SELinux policy, the policy must also set the netif_wildcard policy capability.
-
Fix a potential future issue in the SELinux kernel read file controls. While this wasn’t a problem with the existing SELinux kernel module read controls, there was an issue where SELinux did not properly enforce policy on the kernel’s chunked file reads. As this was fixed at the same time we added support for kernel file read types that include chunked reads, users do not have to worry about security regressions or vulnerabilities related to this issue.
-
Fix a subshell error handling issue in the kernel’s example policy loading script. Error conditions should now be properly caught and error messages displayed to the caller.
