Given the recent discussion of the SELinux namespaces patches, I
re-based the working-selinuxns branch of my selinux-kernel fork on top
of the dev branch. This required first reverting commit e67b79850fcc
("selinux: stop passing selinux_state pointers and their offspring")
which I had created at Linus' request some time ago to avoid the
extraneous overhead associated with passing those pointers when there
could only be one selinux_state structure. Due to the number of
changes, both substantive and coding style related, since the last
re-base in 2020, there were numerous conflicts that required manual
resolution. I also checked the coding style of each patch with Paul's
scripts and fixed any issues introduced by the patches along the way.
The rebase can be found at:
https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns
It boots, passes the selinux-testsuite (including the NFS tests), and
passes the following
trivial exercising of the unshare mechanism:
$ sudo bash
# echo 1 > /sys/fs/selinux/unshare
# unshare -m -n
# umount /sys/fs/selinux
# mount -t selinuxfs none /sys/fs/selinux
# id
uid=0(root) gid=0(root) groups=0(root) context=kernel
# getenforce
Permissive
# load_policy
# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:kernel_t:s0
All the same caveats apply - this is still not safe to use and has
many unresolved issues as noted in the patch descriptions.
