Linux 6.18 Merge Window

02 Oct 2025 tags: audit lsm selinux

Linux v6.17 was released on Sunday, September 29th, with the Linux v6.18 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

• Management of the BPF LSM security blobs was moved into the LSM framework. Previously the LSM security blobs were managed by SELinux as it was the only LSM with BPF access controls. Moving the blob lifecycle managment to the LSM framework enables other LSMs to implement their own BPF access controls or observation implementations.

• Convert the LSM block device security blob allocator to use the existing allocator helper function. This should have no effect on users, but helps reduce code duplication and ease maintenance of the code moving forward.

• Update the Rust credentials code to use sync::aref. This is part of a larger effort to move the Rust kernel code over the sync module.

SELinux

• Support per-file labeling on functionfs, a pseudo-filesystem that can be used to implement USB gadget drivers.

• Convert sel_read_bool() to use a small stack buffer instead of a memory page allocated via get_zeroed_page(). There are a limited number of pages available via get_zeroed_page(), migrating SELinux away from these pages helps ensure that system does not exhaust this limited resource.

• Make better use of the network helper functions to retrieve the sock associated with a network packet. While this has no real effect on the code, it does make it cleaner and easier to maintain.

• Remove some unused and redundant code.

Audit

• Create a new AUDIT_MAC_TASK_CONTEXTS audit record to log all of the LSM labels associated with a task on a system with multiple LSMs enabled. Casey Schaufler, the patch’s author, provides an example and an explanation of when the record may be generated in the patch’s description:

  Create a new audit record AUDIT_MAC_TASK_CONTEXTS. An example of the MAC_TASK_CONTEXTS record is:

   type=MAC_TASK_CONTEXTS
     msg=audit(1600880931.832:113)
     subj_apparmor=unconfined
     subj_smack=_
  

  When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the “subj=” field in other records in the event will be “subj=?”. An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context.

• Similar to the new AUDIT_MAC_TASK_CONTEXTS record, create a new AUDIT_MAC_OBJ_CONTEXTS audit record to log all of the LSM labels associated with an object on a system with multiple LSMs enabled. Casey Schaufler, the patch’s author, describes the work in the patch description:

  Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS record is:

  type=MAC_OBJ_CONTEXTS
    msg=audit(1601152467.009:1050):
    obj_selinux=unconfined_u:object_r:user_home_t:s0
  

  When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the “obj=” field in other records in the event will be “obj=?”. An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context.

• Ensure that fanotify events are always generated. Previously fanotify events were only logged when audit was explicitly configured, in contrast to the Linux audit convention where security relevant events are always logged.

• Minor comment and coding style fixes.