Picture of Paul Moore

Paul Moore

© 2026 Licensed under CC BY-NC-SA 4.0

Linux 6.18 Released

02 Dec 2025 tags: audit lsm selinux

Linux v6.18 was released on Sunday, November 30th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window. However, there were additional changes that went into Linux v6.18 that are described below.

SELinux

  • Fix a problem where the per-task directory access cache introduced in Linux v6.16 was tied to a credential and not a task. An odd problem, largely caused by a changes over time and a failure to properly update the SELinux object security structure names due to those changes. The fix for this particular problem is to reintroduce a proper per-task security structure for SELinux and rename the existing per-credential security structure to better reflect it’s nature.

Linux 6.18 Merge Window

02 Oct 2025 tags: audit lsm selinux

Linux v6.17 was released on Sunday, September 29th, with the Linux v6.18 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

  • Management of the BPF LSM security blobs was moved into the LSM framework. Previously the LSM security blobs were managed by SELinux as it was the only LSM with BPF access controls. Moving the blob lifecycle managment to the LSM framework enables other LSMs to implement their own BPF access controls or observation implementations.

  • Convert the LSM block device security blob allocator to use the existing allocator helper function. This should have no effect on users, but helps reduce code duplication and ease maintenance of the code moving forward.

  • Update the Rust credentials code to use sync::aref. This is part of a larger effort to move the Rust kernel code over the sync module.

SELinux

  • Support per-file labeling on functionfs, a pseudo-filesystem that can be used to implement USB gadget drivers.

  • Convert sel_read_bool() to use a small stack buffer instead of a memory page allocated via get_zeroed_page(). There are a limited number of pages available via get_zeroed_page(), migrating SELinux away from these pages helps ensure that system does not exhaust this limited resource.

  • Make better use of the network helper functions to retrieve the sock associated with a network packet. While this has no real effect on the code, it does make it cleaner and easier to maintain.

  • Remove some unused and redundant code.

Audit

  • Create a new AUDIT_MAC_TASK_CONTEXTS audit record to log all of the LSM labels associated with a task on a system with multiple LSMs enabled. Casey Schaufler, the patch’s author, provides an example and an explanation of when the record may be generated in the patch’s description:

    Create a new audit record AUDIT_MAC_TASK_CONTEXTS. An example of the MAC_TASK_CONTEXTS record is:

     type=MAC_TASK_CONTEXTS
   msg=audit(1600880931.832:113)
   subj_apparmor=unconfined
   subj_smack=_

    When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the “subj=” field in other records in the event will be “subj=?”. An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context.

  • Similar to the new AUDIT_MAC_TASK_CONTEXTS record, create a new AUDIT_MAC_OBJ_CONTEXTS audit record to log all of the LSM labels associated with an object on a system with multiple LSMs enabled. Casey Schaufler, the patch’s author, describes the work in the patch description:

    Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS record is:

    type=MAC_OBJ_CONTEXTS
  msg=audit(1601152467.009:1050):
  obj_selinux=unconfined_u:object_r:user_home_t:s0

    When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the “obj=” field in other records in the event will be “obj=?”. An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context.

  • Ensure that fanotify events are always generated. Previously fanotify events were only logged when audit was explicitly configured, in contrast to the Linux audit convention where security relevant events are always logged.

  • Minor comment and coding style fixes.

Linux 6.17 Released

29 Sep 2025 tags: audit lsm selinux

Linux v6.17 was released on Sunday, September 28th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window. However, there were additional changes that went into Linux v6.17 that are described below.

LSM

  • Added two new LSM hooks, security_inode_file_getattr() and security_inode_file_setattr(), to gate the FS_IOC_FSGETXATTR and FS_IOC_FSSETXATTR ioctls and their corresponding file_getattr(2) and file_setattr() syscalls. At present, only SELinux provides access controls for these new LSM hooks using the existing setattr and getattr file object permissions.

Audit

  • Fixed a potential out-of-bounds read in the audit pathname comparison code.