[RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

Stephen Smalley sds at tycho.nsa.gov
Wed Nov 1 15:22:05 UTC 2017


On Wed, 2017-11-01 at 17:40 +1100, James Morris wrote:
> On Tue, 31 Oct 2017, Stephen Smalley wrote:
> 
> > This btw would be a bit cleaner if we dropped the .ns. portion of
> > the
> > name, such that we would have:
> > security.selinux # xattr name in the init namespace
> > security.selinux.vmN # xattr name in the vmN namespace
> > security.selinux.vmN.vmM # xattr name in the vmN.vmM namespace
> 
> I used 'ns' to diffetentiate against other potential extensions of
> the 
> xattr name.  If that's not a concern, then yes it will be cleaner.
> 
> Do we limit the number of nestings?

Not in the current code, but I think we will need to do so. That's
mentioned in the list of known issues in the next-to-last commit:

    * There is no way currently to restrict or bound nesting of
    namespaces; if you allow it to a domain in the init namespace,
    then that domain can in turn unshare to arbitrary depths and can
    grant the same to any domain in its own policy.  Related to this
    is the fact that there is no way to control resource usage due to
    selinux namespaces and they can be substantial (per-namespace
    policydb, sidtab, AVC, etc).
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list