LSM namespacing API
Paul Moore
paul at paul-moore.com
Tue Aug 19 18:52:41 UTC 2025
On Tue, Aug 19, 2025 at 2:51 PM Paul Moore <paul at paul-moore.com> wrote:
> On Tue, Aug 19, 2025 at 1:47 PM Stephen Smalley
> <stephen.smalley.work at gmail.com> wrote:
> >
> > I think we want to be able to unshare a specific security module
> > namespace without unsharing the others, i.e. just SELinux or just
> > AppArmor.
> > Not sure if your suggestion above supports that already but wanted to note it.
>
> The lsm_set_self_attr(2) approach allows for LSM specific unshare
> operations. Take the existing LSM_ATTR_EXEC attribute as an example,
> two LSMs have implemented support (AppArmor and SELinux), and
> userspace can independently set the attribute as desired for each LSM.
I should add, for those that didn't follow the lsm_set_self_attr(2)
development, if you want to set the same attribute on multiple LSMs,
you must make multiple calls to lsm_set_self_attr(2) (think of error
handling/conditions).
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list