LSM namespacing API
Casey Schaufler
casey at schaufler-ca.com
Thu Apr 2 17:49:14 UTC 2026
On 4/2/2026 3:59 AM, Dr. Greg wrote:
> That still leaves the question of whether or not CAP_MAC_ADMIN is
> appropriate for gating the creation of a new security namespace.
That will have to be up to the individual LSMs. Not all LSMs implement
Mandatory Access Controls. It would be inappropriate for an LSM that
provides finer grain privilege than capabilities do to be gated by
CAP_MAC_ADMIN. An LSM that implements a novel access control list scheme
would fall under CAP_DAC_SOMETHING, not CAP_MAC_ADMIN. While a time-of-day
access scheme might require CAP_MAC_ADMIN, it might not. Implying that all
LSMs enforce a MAC policy is not a good idea.
More information about the Linux-security-module-archive
mailing list