Picture of Paul Moore

Paul Moore

© 2025 Licensed under CC BY-NC-SA 4.0

Linux 6.13 Released

22 Jan 2025 tags: audit lsm selinux

Linux v6.13 was released on Sunday, January 19th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.

LSM

  • Leverage the new get_task_comm() API to get the current task’s “comm” string as opposed to accessing it directly. While minor, this affects the LSM framework’s common auditing code as well as SELinux.

  • Minor IMA variable renaming to fix a variable name collision related to the lsm_prop changes merged during the v6.13 merge window.

SELinux

  • Make better use of the sk_to_full_sk() helper in the SELinux networking code to fix a regression caused by networking changes introduced during the v6.13 merge window.

  • Fix a problem when both the ioctl and netlink extended permissions, aka “xperms”, are used in a single domain.

  • Ignore unknown extended permissions, aka “xperms”, when loading SELinux policy. This should make it easier to support newer policies on older kernels in the future as unknown xperms will no longer result in an error.

Audit

  • Minor code shuffling to work around a GCC bug that was falsely reporting a write beyond the bounds of an object. There should be no user visible impact to this change.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.

Linux 6.13 Merge Window

19 Dec 2024 tags: audit lsm selinux

This post is a bit later than normal, my apologies for that, but Linux v6.12 was released on Sunday, November 17th with the Linux v6.13 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and Audit pull requests which have been merged into Linus’ tree.

LSM

  • Start the process of moving away from the existing secid integer LSM identifier in the kernel towards a richer lsm_prop structure. This change will enable us to remove some of the translation steps that are necessary in many LSMs when interacting with the rest of the Linux kernel, and should make is easier to support different LSMs in the future.

  • Decouple the fsnotify subsystem from the LSM, allowing the two subsystems to be selected independently from one another when building the Linux kernel.

SELinux

  • In Linux v4.3 we introduced the concept of “extended permissions” to enable SELinux to enforce access controls on individual ioctl(2) commands. Starting in Linux v6.13 administrators will now also be able to use the extended permission functionality to enforce access controls on individual netlink(7) messages. Thiébaud Weksteen, the patch’s author, provides some additional information and examples in the commit description:

    Reuse the existing extended permissions infrastructure to support policies based on the netlink message types.

    A new policy capability “netlink_xperm” is introduced. When disabled, the previous behaviour is preserved. That is, netlink_send will rely on the permission mappings defined in nlmsgtab.c (e.g, nlmsg_read for RTM_GETADDR on NETLINK_ROUTE). When enabled, the mappings are ignored and the generic “nlmsg” permission is used instead.

    The new “nlmsg” permission is an extended permission. The 16 bits of the extended permission are mapped to the nlmsg_type field.

    Example policy on Android, preventing regular apps from accessing the device’s MAC address and ARP table, but allowing this access to privileged apps, looks as follows:

    allow netdomain self:netlink_route_socket {
create read getattr write setattr lock append connect getopt
setopt shutdown nlmsg
};
allowxperm netdomain self:netlink_route_socket nlmsg ~{
RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
};
allowxperm priv_app self:netlink_route_socket nlmsg {
RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
};

    The constants in the example above (e.g., RTM_GETLINK) are explicitly defined in the policy.

    It is possible to generate policies to support kernels that may or may not have the capability enabled by generating a rule for each scenario. For instance:

    allow domain self:netlink_audit_socket nlmsg_read;
allow domain self:netlink_audit_socket nlmsg;
allowxperm domain self:netlink_audit_socket nlmsg { AUDIT_GET };

    The approach of defining a new permission (“nlmsg”) instead of relying on the existing permissions (e.g., “nlmsg_read”, “nlmsg_readpriv” or “nlmsg_tty_audit”) has been preferred because:

    1. This is similar to the other extended permission (“ioctl”);
    2. With the new extended permission, the coarse-grained mapping is not necessary anymore. It could eventually be removed, which would be impossible if the extended permission was defined below these.
    3. Having a single extra extended permission considerably simplifies the implementation here and in libselinux.
  • The “/sys/fs/selinux/user” interface has been marked as deprecated in the kernel. The deprecation notice provides some additional information:

    The selinuxfs “user” node allows userspace to request a list of security contexts that can be reached for a given SELinux user from a given starting context. This was used by libselinux when various login-style programs requested contexts for users, but libselinux stopped using it in 2020. Kernel support will be removed no sooner than Dec 2025.

  • Cleaned the SELinux build scripts and tooling. We relocated the “genheaders” tool to the “security/selinux” directory and corrected our usage of kernel headers to make it easier to build the Linux kernel on different systems.

Audit

  • Minor cleanups involving corrections to the kdoc function parameters and increased usage of the str_yes_no() kernel helper function.

Linux 6.12 Released

06 Dec 2024 tags: audit lsm selinux

Linux v6.12 was released on Sunday, November 17th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below.

LSM

  • Add a missing security_mmap_file() LSM hook call to the remap_file_pages(2) syscall. This helps ensure that the LSM-based access controls for memory pages are properly enforced.

  • Fixed a problem where the IPE kernel selftests could result in a crash due to a missing unit test list terminator.

  • Constification of the path parameter in the security_bpf_token_create() LSM hook.

SELinux

  • Fix a problem in the SELinux access controls for the kernel keyrings where they were not properly converted to the new LSM object lifecycle scheme that was merged during the Linux v6.12 merge window.

In addition to my highlights, LWN.net provides a nice overall summary of the kernel changes made during the first and second weeks of the merge window.