From: Igor Baranov <igor.baranov@xxxxxxxxxx> Continue with the previous discussion, we decided to do the following: publish all of our patches. The aim of these series patches is to extend the functionality and stability of selinux namespace base-on the existing work for a basic PoC. To try our patches you need to: * Checkout https://github.com/stephensmalley/selinux-kernel/commit/3a3b3ad9bd266f0199a2db6c0aa15c343c2307f1 * Apply our patches. * Compile the kernel and boot into it. * Next, we recommend creating a privileged Docker container with a SELinux-based distribution (we used CentOS 7) with mapping /sys/fs/selinux:/sys/fs/selinux * Then log into into the container and do the following: # create new namespace with name "ns", unshare previous one echo "ns" > /sys/fs/selinux/unshare; unshare --fork -m # remount selinuxfs, load policy umount /sys/fs/selinux; mount -t selinuxfs none /sys/fs/selinux/; load_policy # relabel everything restorecon / -Rv # check xattr's ls -Z # now enter enforcing mode setenforce 1 # check enforce getenforce First of all, there is a need to build the solid code base for the workable PoC with the latest branch working-selinux, hence the related commits picked from the sources comprise the first two patches. And the rest five patches are the major work, detailed description can be check in each commit message: (1) Infrastructure management of the superblock (2) support per-namespace superblock security structures (3) Fix initilization of the superblock security under spinlock (4) Namespacing for xattrs (5) Migrate all open files and all vma to new namespace (6) Fixing superblock security structure memory leakage (7) Fixing concurrency issues Hope the initial efforts in this direction could re-initiate the discussion. Thanks. README.SELINUX-NAMESPACES | 22 + include/linux/lsm_hooks.h | 1 + security/security.c | 46 +- security/selinux/hooks.c | 682 +++++++++++++++++++++------- security/selinux/include/objsec.h | 41 +- security/selinux/include/security.h | 23 +- security/selinux/selinuxfs.c | 368 +++++++++++---- security/selinux/ss/services.c | 32 +- security/smack/smack.h | 6 + security/smack/smack_lsm.c | 35 +- 10 files changed, 950 insertions(+), 306 deletions(-) create mode 100644 README.SELINUX-NAMESPACES -- 2.34.1 Alexander Kozhevnikov, Igor Baranov, Advanced Software Technology Lab Huawei
