From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v2 00/49] SELinux namespace support
Date: Thu, 15 May 2025 09:08:58 -0400 [thread overview]
Message-ID: <20250515130947.52806-1-stephen.smalley.work@gmail.com> (raw)
This series introduces support for a SELinux namespace, i.e.
the ability to namespace the SELinux policy, AVC, and
enforcing mode. This support can be leveraged by Linux
container runtimes to establish a private SELinux namespace
for each container, enabling the container to load and
enforce its own policy while still remaining bound by the
host OS policy (if any). More information about SELinux
namespaces can be found at the following URL:
https://github.com/stephensmalley/selinuxns
Stephen Smalley (49):
selinux: restore passing of selinux_state
selinux: introduce current_selinux_state
selinux: support multiple selinuxfs instances
selinux: dynamically allocate selinux namespace
netstate,selinux: create the selinux netlink socket per network
namespace
selinux: support per-task/cred selinux namespace
selinux: introduce cred_selinux_state() and use it
selinux: add a selinuxfs interface to unshare selinux namespace
selinuxfs: restrict write operations to the same selinux namespace
selinux: introduce a global SID table
selinux: wrap security server interfaces to use the global SID table
selinux: update hook functions to use correct selinux namespace
selinux: introduce cred_task_has_perm()
selinux: introduce cred_has_extended_perms()
selinux: introduce cred_self_has_perm()
selinux: introduce cred_has_perm()
selinux: introduce cred_ssid_has_perm() and cred_other_has_perm()
selinux: introduce task_obj_perm()
selinux: fix selinux_lsm_getattr() check
selinux: update bprm hooks for selinux namespaces
selinux: add kerneldoc to new permission checking functions
selinux: convert selinux_file_send_sigiotask() to namespace-aware
helper
selinux: rename cred_has_perm*() to cred_tsid_has_perm*()
selinux: convert additional checks to cred_ssid_has_perm()
selinux: introduce selinux_state_has_perm()
selinux: annotate selinuxfs permission checks
selinux: annotate process transition permission checks
selinux: convert xfrm and netlabel permission checks
selinux: switch selinux_lsm_setattr() checks to current namespace
selinux: add limits for SELinux namespaces
selinux: fix namespace creation
selinux: limit selinux netlink notifications to init namespace
selinux: refactor selinux_state_create()
selinux: make open_perms namespace-aware
selinux: split cred_ssid_has_perm() into two cases
selinux: set initial SID context for init to "kernel" in global SID
table
selinux: disallow writes to /sys/fs/selinux/user in non-init
namespaces
selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware
selinux: init inode from nearest initialized namespace
selinux: allow userspace to detect non-init SELinux namespace
selinux: exempt creation of init SELinux namespace from limits
selinux: introduce a Kconfig option for SELinux namespaces
selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS
selinux: maintain a small cache in the global SID table
selinux: change /sys/fs/selinux/unshare to check current process state
selinux: acquire/release SELinux state properly in socket hooks
selinux: update cred_tsid_has_perm_noaudit() to return the combined
avd
selinux: repair security_fs_use() interface and its users
selinux: style cleanups for node_sid prototypes
include/net/net_namespace.h | 3 +
security/selinux/Kconfig | 65 +
security/selinux/Makefile | 1 +
security/selinux/avc.c | 782 ++++++++--
security/selinux/global_sidtab.c | 810 ++++++++++
security/selinux/hooks.c | 1339 +++++++++++------
security/selinux/ibpkey.c | 2 +-
security/selinux/ima.c | 37 +-
security/selinux/include/audit.h | 8 +
security/selinux/include/avc.h | 77 +-
security/selinux/include/avc_ss.h | 3 +-
security/selinux/{ss => include}/avtab.h | 0
security/selinux/include/classmap.h | 2 +-
security/selinux/include/conditional.h | 4 +-
security/selinux/{ss => include}/constraint.h | 0
security/selinux/{ss => include}/context.h | 0
security/selinux/{ss => include}/ebitmap.h | 0
security/selinux/include/global_sidtab.h | 26 +
security/selinux/{ss => include}/hashtab.h | 0
security/selinux/include/ima.h | 11 +-
security/selinux/{ss => include}/mls.h | 0
security/selinux/{ss => include}/mls_types.h | 0
security/selinux/include/netif.h | 4 +-
security/selinux/include/netlabel.h | 14 +-
security/selinux/include/netnode.h | 4 +-
security/selinux/include/objsec.h | 43 +-
security/selinux/{ss => include}/policydb.h | 0
security/selinux/include/security.h | 473 +++++-
security/selinux/include/selinux_ss.h | 119 ++
security/selinux/{ss => include}/sidtab.h | 34 +
security/selinux/{ss => include}/symtab.h | 0
security/selinux/include/xfrm.h | 8 +-
security/selinux/netif.c | 31 +-
security/selinux/netlabel.c | 32 +-
security/selinux/netlink.c | 42 +-
security/selinux/netnode.c | 26 +-
security/selinux/netport.c | 2 +-
security/selinux/selinuxfs.c | 551 ++++++-
security/selinux/ss/services.c | 453 +++---
security/selinux/ss/services.h | 1 +
security/selinux/ss/sidtab.c | 105 +-
security/selinux/status.c | 44 +-
security/selinux/xfrm.c | 47 +-
43 files changed, 4071 insertions(+), 1132 deletions(-)
create mode 100644 security/selinux/global_sidtab.c
rename security/selinux/{ss => include}/avtab.h (100%)
rename security/selinux/{ss => include}/constraint.h (100%)
rename security/selinux/{ss => include}/context.h (100%)
rename security/selinux/{ss => include}/ebitmap.h (100%)
create mode 100644 security/selinux/include/global_sidtab.h
rename security/selinux/{ss => include}/hashtab.h (100%)
rename security/selinux/{ss => include}/mls.h (100%)
rename security/selinux/{ss => include}/mls_types.h (100%)
rename security/selinux/{ss => include}/policydb.h (100%)
create mode 100644 security/selinux/include/selinux_ss.h
rename security/selinux/{ss => include}/sidtab.h (81%)
rename security/selinux/{ss => include}/symtab.h (100%)
--
2.49.0
next reply other threads:[~2025-05-15 13:10 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-15 13:08 Stephen Smalley [this message]
2025-05-15 13:08 ` [PATCH v2 01/49] selinux: restore passing of selinux_state Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 02/49] selinux: introduce current_selinux_state Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 03/49] selinux: support multiple selinuxfs instances Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 04/49] selinux: dynamically allocate selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 05/49] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 06/49] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 07/49] selinux: introduce cred_selinux_state() and use it Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 08/49] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 09/49] selinuxfs: restrict write operations to the same " Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 10/49] selinux: introduce a global SID table Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 11/49] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 12/49] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 13/49] selinux: introduce cred_task_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 14/49] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 15/49] selinux: introduce cred_self_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 16/49] selinux: introduce cred_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 17/49] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 18/49] selinux: introduce task_obj_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 19/49] selinux: fix selinux_lsm_getattr() check Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 20/49] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 21/49] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 22/49] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 23/49] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 24/49] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 25/49] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 26/49] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 27/49] selinux: annotate process transition " Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 28/49] selinux: convert xfrm and netlabel " Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 29/49] selinux: switch selinux_lsm_setattr() checks to current namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 30/49] selinux: add limits for SELinux namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 31/49] selinux: fix namespace creation Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 32/49] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 33/49] selinux: refactor selinux_state_create() Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 34/49] selinux: make open_perms namespace-aware Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 35/49] selinux: split cred_ssid_has_perm() into two cases Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 36/49] selinux: set initial SID context for init to "kernel" in global SID table Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 37/49] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 38/49] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 39/49] selinux: init inode from nearest initialized namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 40/49] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 41/49] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 42/49] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 43/49] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 44/49] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 45/49] selinux: change /sys/fs/selinux/unshare to check current process state Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 46/49] selinux: acquire/release SELinux state properly in socket hooks Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 47/49] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 48/49] selinux: repair security_fs_use() interface and its users Stephen Smalley
2025-05-15 13:09 ` [PATCH v2 49/49] selinux: style cleanups for node_sid prototypes Stephen Smalley
2025-05-15 13:35 ` [PATCH v2 00/49] SELinux namespace support Stephen Smalley
2025-05-15 13:59 ` Stephen Smalley
2025-05-20 12:06 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250515130947.52806-1-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).