On 8/4/20 4:19 PM, Stephen Smalley wrote:
Recognizing that re-basing the selinux namespace patches on top of
these two patches might be painful, I went ahead and did so; the
result can be found here:
https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns-rebase
The two patches that required manual fix-ups were the first one
("selinux: rename selinux state to ns (namespace)") and the third one
("selinux: dynamically allocate selinux namespace"). The rest re-based
without conflicts. The resulting tree built, booted, passed the
selinux-testsuite, and I could successfully follow the instructions to
create a new namespace and load a policy into it. As before, the child
namespace won't be usable if you switch it to enforcing mode since we
haven't yet revived the per-namespace support for inode and superblock
security blobs and it is still very unsafe to use in its current form.
Re-based again with the revised version of both patches. This required
one additional manual fix-up for "selinux: annotate lockdep for services
locks" due to conflicting with the restored load_mutex.
