On 4/26/2016 4:06 PM, Stephen Smalley wrote: > On 04/26/2016 03:51 PM, Paul Moore wrote: >> On Friday, April 08, 2016 01:52:00 PM Stephen Smalley wrote: >>> Distinguish capability checks against a target associated >>> with the init user namespace versus capability checks against >>> a target associated with a non-init user namespace by defining >>> and using separate security classes for the latter. >>> >>> This is needed to support e.g. Chrome usage of user namespaces >>> for the Chrome sandbox without needing to allow Chrome to also >>> exercise capabilities on targets in the init user namespace. >>> >>> Suggested-by: Dan Walsh <dwalsh@xxxxxxxxxx> >>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> >>> --- >>> security/selinux/hooks.c | 14 +++++++------- >>> security/selinux/include/classmap.h | 28 ++++++++++++++++++---------- >>> 2 files changed, 25 insertions(+), 17 deletions(-) >> >> Applied, thanks. > > I pushed the test for these new checks to a branch of selinux-testsuite > (#userns) because the test can't be used without a corresponding update > to policy to define the new classes, so I will wait to merge to master > until rawhide gets the new class definitions. Also, I'll need to make > the test code conditional on kernel version so that it won't fail on > kernels that predate the support. Will this change be in 4.7? I've pushed the class definitions for refpolicy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
