After a long hiatus, I have re-based the SELinux namespace series on top of selinux/next based on v5.4-rc1, available from https://github.com/stephensmalley/selinux-kernel/tree/selinuxns-v5.4-rc1 and posted here. Thanks to Paul Moore who had earlier ported the series up through v4.19-rc1. I chose to drop the per-namespace inode and superblock security blob patches from the series for the time being. In part, this is due to the fact that the original patch for per-namespace inode security blobs requires a major rewrite to deal with the LSM stacking changes. However, even apart from this issue, those two patches had known major problems that made them unlikely in my view to survive in the final implementation. This does leave the series in an even less functional state than before. This series also does not include James Morris' separate RFC patch for per-namespace security extended attributes on files, https://patchwork.kernel.org/patch/10067875/ which would ultimately be needed if we want to fully support per-namespace file security labels (not merely mappings of a single file label). As before, this is unsafe, experimental code. Use at your own risk. The patches should be harmless no-ops up until the one that introduces the ability to unshare the selinux namespace, but YMMV. James Morris (1): selinuxns: mark init_selinux_ns as __ro_after_init Peter Enderborg (1): selinux: Annotate lockdep for services locks Stephen Smalley (8): selinux: rename selinux state to ns (namespace) selinux: support multiple selinuxfs instances selinux: dynamically allocate selinux namespace netns,selinux: create the selinux netlink socket per network namespace selinux: support per-task/cred selinux namespace selinux: introduce cred_selinux_ns() and use it selinux: add a selinuxfs interface to unshare selinux namespace selinuxfs: restrict write operations to the same selinux namespace include/net/net_namespace.h | 3 + security/selinux/avc.c | 94 +++-- security/selinux/hooks.c | 512 +++++++++++++---------- security/selinux/ibpkey.c | 2 +- security/selinux/include/avc.h | 16 +- security/selinux/include/classmap.h | 3 +- security/selinux/include/conditional.h | 6 +- security/selinux/include/objsec.h | 23 -- security/selinux/include/security.h | 185 ++++++--- security/selinux/netif.c | 2 +- security/selinux/netlabel.c | 12 +- security/selinux/netlink.c | 31 +- security/selinux/netnode.c | 4 +- security/selinux/netport.c | 2 +- security/selinux/selinuxfs.c | 266 ++++++++---- security/selinux/ss/services.c | 543 +++++++++++++------------ security/selinux/ss/status.c | 42 +- security/selinux/xfrm.c | 18 +- 18 files changed, 1026 insertions(+), 738 deletions(-) -- 2.21.0
