On Wed, 2017-11-01 at 17:40 +1100, James Morris wrote: > On Tue, 31 Oct 2017, Stephen Smalley wrote: > > > This btw would be a bit cleaner if we dropped the .ns. portion of > > the > > name, such that we would have: > > security.selinux # xattr name in the init namespace > > security.selinux.vmN # xattr name in the vmN namespace > > security.selinux.vmN.vmM # xattr name in the vmN.vmM namespace > > I used 'ns' to diffetentiate against other potential extensions of > the > xattr name. If that's not a concern, then yes it will be cleaner. > > Do we limit the number of nestings? Not in the current code, but I think we will need to do so. That's mentioned in the list of known issues in the next-to-last commit: * There is no way currently to restrict or bound nesting of namespaces; if you allow it to a domain in the init namespace, then that domain can in turn unshare to arbitrary depths and can grant the same to any domain in its own policy. Related to this is the fact that there is no way to control resource usage due to selinux namespaces and they can be substantial (per-namespace policydb, sidtab, AVC, etc).
