Kernel audit subsystem incompatible with LSM stacking (6.18.2)

[Bad3r]

Summary

The Linux kernel audit subsystem fails when multiple LSMs (Linux Security Modules) are stacked, preventing audit-based monitoring of USBGuard and other security events.

Environment

• Kernel: 6.18.2
• LSM Stack: lsm=landlock,yama,bpf,apparmor (4 LSMs active)
• Kernel Params: audit=1 apparmor=1 audit_backlog_limit=1024
• NixOS Channel: 26.05.20251219.7d853e5

Problem

When attempting to enable security.audit with LSM stacking active, the audit subsystem enters a panic state:

audit: error in audit_log_subj_ctx (repeated hundreds of times)
audit_panic: 321 callbacks suppressed

Impact:

• All auditctl operations fail with status 255
• Cannot load audit rules (audit-rules-nixos.service fails)
• USBGuard audit monitoring unavailable
• System security monitoring degraded

Root Cause

The kernel's security_lsmprop_to_secctx() function cannot properly convert security contexts when multiple LSMs are stacked. This is a known kernel limitation being actively addressed.

Evidence

Linux kernel audit mailing list shows active patch development (Dec 2024 - Aug 2025):

• Patch Series: "Audit: Add record for multiple task security contexts" (v2 through v6)
• Author: Casey Schaufler
• Purpose: Add multi-LSM support to audit subsystem
• Status: Under review, not yet merged

The audit subsystem in kernel 6.18.2 predates this functionality.

What Was Tested

❌ Attempt 1: Enable audit before loading rules

systemd.services.audit-rules-nixos.serviceConfig.ExecStartPre = 
  "${pkgs.audit}/bin/auditctl -e 1";

Result: FAILED - auditctl -e 1 returned status 255

❌ Attempt 2: Enable auditd daemon

security.audit.enable = true;
security.auditd.enable = true;  # Start userspace daemon

Result: FAILED - Errors persisted even with daemon running

✅ Current Solution: Disable audit entirely

security.audit.enable = false;
security.auditd.enable = false;

Result: SUCCESS - No errors, USBGuard enforcement still works

Impact Assessment

Still Working:

• ✅ USBGuard device enforcement
• ✅ USB device allow/block decisions
• ✅ USBGuard policy management
• ✅ All other system security features

Not Available:

• ❌ Audit logging of USBGuard policy changes
• ❌ Audit trail for USB device events
• ❌ System-wide audit logging
• ❌ Security event monitoring via auditd

Error Logs

Kernel Messages

Dec 23 17:02:02 system76 kernel: audit: error in audit_log_subj_ctx
Dec 23 17:02:02 system76 kernel: audit: error in audit_log_subj_ctx
[... repeated hundreds of times ...]
Dec 23 17:02:09 system76 kernel: audit_panic: 321 callbacks suppressed
Dec 23 17:02:09 system76 kernel: audit: error in audit_log_subj_ctx

Service Failure

× audit-rules-nixos.service - Load Audit Rules
     Loaded: loaded (/etc/systemd/system/audit-rules-nixos.service; enabled)
     Active: failed (Result: exit-code)
    Process: 214467 ExecStart=/nix/store/.../auditctl -R /nix/store/.../audit.rules (code=exited, status=1/FAILURE)

Dec 23 17:02:04 system76 auditctl[214467]: No rules
Dec 23 17:02:04 system76 auditctl[214467]: There was an error in line 2 of /nix/store/.../audit.rules
Dec 23 17:02:04 system76 systemd[1]: audit-rules-nixos.service: Main process exited, code=exited, status=1/FAILURE

Technical Details

Function Call Chain

AppArmor event → audit_log_subj_ctx() → security_lsmprop_to_secctx() → FAIL

The security_lsmprop_to_secctx() function cannot handle multiple LSM contexts simultaneously in kernel 6.18.2.

Kernel Code Location

• security/apparmor/audit.c - AppArmor audit logging
• kernel/audit.c - Core audit subsystem
• security/security.c - LSM interface (security_lsmprop_to_secctx)

Workaround

Current Implementation (commit 518f98406):

# modules/system76/usbguard.nix
security.audit.enable = lib.mkForce false;
security.auditd.enable = lib.mkForce false;

This disables audit logging system-wide but maintains USBGuard enforcement.

Future Resolution

Option 1: Wait for Kernel Update (Recommended)

• Monitor Linux kernel releases for merged LSM stacking audit patches
• Expected in kernel 6.19 or later
• Update NixOS to use newer kernel when available

Option 2: Reduce LSM Stack (Not Recommended)

boot.kernelParams = [ 
  "lsm=apparmor"  # Only use AppArmor, disable landlock/yama/bpf
];

Trade-off: Lose security benefits of other LSMs

Option 3: Disable AppArmor (Not Recommended)

security.apparmor.enable = false;
boot.kernelParams = [ "apparmor=0" ];

Trade-off: Lose mandatory access control

References

• Linux Kernel Audit Mailing List - Multi-LSM Context Patches
• NixOS Audit Module
• NixOS Auditd Module
• ArchWiki: "For users not having enabled auditd, using kernel debug messages can result in audit flooding"

Related Commits

• 518f98406 - fix(usbguard): disable audit due to incomplete kernel LSM stacking support
• eb7380af7 - enhance(mcp): add graceful failure for context7 without secret

---

Keywords: kernel, security, audit, apparmor, lsm, usbguard, linux security modules, lsm stacking, security_lsmprop_to_secctx, audit_log_subj_ctx