Linux v6.8 was released this past Sunday, with the Linux v6.9 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which Linus has merged into his tree. LSM The Linux Integrity Subsystem, more commonly known as IMA, or IMA/EVM, has been integrated into the LSM framework. Prior to the start of the LSM stacking work it was important that IMA/EVM remain separate from the rest of the LSMs as it was the only way to enable IMA/EVM at the same time as a LSM, e.g. SELinux. However, now that the bulk of the LSM infrastructure supports mult ..read more

Linux v6.8 was released on Sunday, March 10th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below. LSM Fix a potential integer overflow bug when sanity checking the size of an argument to the lsm_set_self_attr(2) syscall. Fix a couple of problems relating to a mismatch between the expected default return value of a LSM hook and the actual default value. While the return value mismatches are not new, the recent ..read more

Linux v6.7 was released this past Sunday, with the Linux v6.8 merge window opening immediately afterwards. Recently I’ve started writing up the highlights of the SELinux and audit pull requests sent to Linus, but starting with the Linux v6.8 merge window I’m also going to start including the Linux Security Module (LSM) layer highlights. I’m including the LSM in these summaries because with the start of Linux v6.8 the LSM layer itself is taking a step forward in terms of user visibility and I want users, administrators, developers, and distros to be aware of changes that could impact their syst ..read more

Linux v6.7 was released on Sunday, January 7th. I already wrote up a post highlighting the SELinux and audit changes that were submitted during the merge window, however there were additional changes that went in during the release candidate process which are described below. SELinux Minor changes to the SELinux credential code as part of the larger effort to remove CONFIG_DEBUG_CREDENTIALS. This should have little to no effect on SELinux. Audit Remove a WARN_ON_ONCE() based warning in the audit exe filter code as it was causing a lot of scary looking, but harmless, warnings on the console ..read more

Linux v6.6 was released this past Monday, with the Linux v6.7 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus has merged into his tree. SELinux The CONFIG_SECURITY_SELINUX_DEBUG Kconfig option introduced in Linux v6.6 was enhanced to enable the SELinux debugging messages on the console by default. Those users who wish to have greater control over the SELinux debugging messages should enable Dynamic Debug. A number of SELinux internal hash table related improvements were made in this kernel release. The role transition ..read more

Linux v6.5 was released on Sunday, August 27th. I already wrote up a post highlighting the SELinux and audit changes that were submitted during the merge window, but there was one minor change worth mentioning that occurred during the release candidate process, it’s described below. SELinux A small fix to ensure that an internal data structure is properly initialized before use. Prior to this fix an error condition when loading the SELinux policy had the potential to result in a memory fault caused by walking off the end of a linked list. In addition to my highlights, LWN.net provides a nice ..read more

Linux v6.5 was released this past Sunday, with the Linux v6.6 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus merged today. SELinux A poorly documented, private SELinux kernel debug macro was promoted to a proper Kconfig configuration flag, CONFIG_SECURITY_SELINUX_DEBUG. This should help both improve the visibility of the debug flag as well enable improved test coverage. We also moved some additional debug functions under the new CONFIG_SECURITY_SELINUX_DEBUG flag and I believe we may see more additions in the future ..read more

Linux v6.4 was released this past Sunday, with the Linux v6.5 merge window opening immediately afterwards. Below are the highlights of the SELinux and audit pull requests which Linus merged this week. SELinux Fixed a longstanding issue with MultiPath TCP (MPTCP) where the MPTCP subflows were not labeled properly. Starting in Linux v6.5, MPTCP subflows will now be correctly labeled using the main MPTCP socket instead of the currently executing task. A special thanks to Paolo Abeni, and the other MPTCP developers, for their help on this issue. Fixed an issue where labeled NFS mounts that wer ..read more

Linux v6.4 was released on Sunday, June 25th; there were no changes to the audit subsystem, but the SELinux highlights are below. Beyond these highlights, LWN.net has summarized the major changes in this release made during the first and second weeks of the merge window. SELinux After several years of work by the userspace and distro folks, we are finally in a place where we feel comfortable removing the runtime disable functionality, which was initially deprecated at the start of 2020. This was done to improve the security of all the LSMs in the kernel, not just SELinux, by hardening the LSM ..read more

Linux v6.3 was released on Sunday, April 23rd; the SELinux and audit highlights are below. Beyond these highlights, LWN.net has summarized the major changes in this release made during the first and second weeks of the merge window. SELinux Minor changes to support the ID-mapped mounts work and some newly created virtual memory flag accessor functions. Audit The AUDIT_FANOTIFY record was updated to record the full event response. The patch’s author, Richard Guy Briggs, provides a description of the change, as well as sample record types, in the commit description: Currently the only type o ..read more