[PATCH RFC] security: add LSM blob and hooks for namespaces
Christian Brauner
brauner at kernel.org
Tue Feb 17 09:38:33 UTC 2026
On Mon, Feb 16, 2026 at 09:34:57AM -0800, Casey Schaufler wrote:
> On 2/16/2026 5:52 AM, Christian Brauner wrote:
> > All namespace types now share the same ns_common infrastructure. Extend
> > this to include a security blob so LSMs can start managing namespaces
> > uniformly without having to add one-off hooks or security fields to
> > every individual namespace type.
>
> The implementation appears sound.
>
> I have to question whether having LSM controls on namespaces is reasonable.
This is already in active use today but only in a very limited capacity.
This generalizes it.
> I suppose that you could have a system where (for example) SELinux runs
> in permissive mode except within a specific user namespace, where it would
> enforce policy. Do you have a use case in mind?
We will use it in systemd services and containers to monitor and
supervise namespaces.
More information about the Linux-security-module-archive
mailing list