On Thu, Feb 27, 2025 at 10:22 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Wed, Feb 26, 2025 at 3:19 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Feb 24, 2025 Miklos Szeredi <mszeredi@xxxxxxxxxx> wrote: > > > > > > Watching mount namespaces for changes (mount, umount, move mount) was added > > > by previous patches. > > > > > > This patch adds the file/watch_mountns permission that can be applied to > > > nsfs files (/proc/$$/ns/mnt), making it possible to allow or deny watching > > > a particular namespace for changes. > > > > > > Suggested-by: Paul Moore <paul@xxxxxxxxxxxxxx> > > > Link: https://lore.kernel.org/all/CAHC9VhTOmCjCSE2H0zwPOmpFopheexVb6jyovz92ZtpKtoVv6A@xxxxxxxxxxxxxx/ > > > Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> > > > --- > > > security/selinux/hooks.c | 3 +++ > > > security/selinux/include/classmap.h | 2 +- > > > 2 files changed, 4 insertions(+), 1 deletion(-) > > > > Thanks Miklos, this looks good to me. VFS folks / Christian, can you > > merge this into the associated FSNOTIFY_OBJ_TYPE_MNTNS branch you are > > targeting for linux-next? > > > > Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> > > I'm not objecting to this patch, but just for awareness, this adds the > permission for all file-related classes, including dir(ectory), and we > are almost out of space in the access vector at which point we'll need > to introduce a file2 class or similar (as with process2). Yes, I've been paying closer attention to this over the past several years as we start to nudge the permission count limits. However, as you mentioned, this isn't a new concern and we've successfully dealt with it in the past. -- paul-moore.com
