Linux 6.19 Merge Window

04 Dec 2025 tags: audit lsm selinux

Linux v6.18 was released on Sunday, November 30th, with the Linux v6.19 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

• The LSM initialization code was heavily reworked to improve code quality, avoid unnecessary work related to LSMs that are disabled at boot time, and provide support for a LSM notification that indicates that all enabled LSMs have been fully initialized. The LSM_STARTED_ALL notification is currently unused, but work is in progress which makes use of this notification to measure the IPE boot policy once all of the LSMs have been fully initialized and started.

• The device_cgroup code was updated to make better use of the seq_put*() helper functions. This is purely a code quality improvement, there should be no visible user impact.

SELinux

• Traditionally memfd files were labeled as either tmpfs or hugetlbfs files depending on the system’s configuration. While this was simple, and aligned well with the memfd implementation, it made it difficult to differentiate between memfd files and other tmpfs/hugetlbfs files. In order to resolve this a new policy capability was created, “memfd_class”, which, when enabled, adds a new object class for memfd files, memfd_file. The new object class enables policy developers to write policy specifically for memfd files without impacting other tmpfs or hugetlbfs files. As the patch developer, Thiébaud Weksteen, pointed out in the commit description, this is of particular interest when execution of memfds are attempted:

  The ability to limit fexecve on memfd has been of interest to avoid potential pitfalls where /proc/self/exe or similar would be executed (see ChromeOS Issue and memfd exec protections). Reuse the “execute_no_trans” and “entrypoint” access vectors, similarly to the file class. These access vectors may not make sense for the existing “anon_inode” class. Therefore, define and assign a new class “memfd_file” to support such access vectors.

• A new build time configuration has been introduced, CONFIG_SECURITY_SELINUX_AVC_HASH_BITS, which allows adjustment of the SELinux Access Vector Cache (AVC) hash bucket sizes. The default value is set to 9 bits, resulting in 512 entries for each bucket. Users with unusual workloads or non-typical SELinux policies may want to experiment with this value.

• The SELinux Access Vector Cache (AVC) moved from a custom hash function to the MurmurHash3 hash, resulting in improvements in hash distribution and latency.

Audit

• The __audit_inode_child() function loops over the list of logged inodes twice, first to search for a parent inode, and then again to search for a potential match for the child inode. Linux v6.19 will consolidate these two loops into a single loop that searches for a matching parent and child inode at the same time, resulting in approximately a 50% reduction in audit overhead.