This is an RFC-only for the SELinux namespace support, just to
encourage early review and identification of any show-stoppers
with respect to the design and implementation to date.
Patches 0001 through 0009 are just re-based versions of the original
SELinux namespace series that predated COVID. The remaining patches
are all new relative to mid-2024 when work on the namespace
support restarted.
If you actually want to try running it, I'd recommend instead using
my branch which has an additional cherry-picked fix from upstream
needed to avoid crashing the kernel. This can be cloned via
git clone -b working-selinuxns \
https://github.com/stephensmalley/selinux-kernel
Configure the kernel as usual but add CONFIG_SECURITY_SELINUX_NS=y
to enable the support. More detailed instructions on building, booting,
and testing the SELinux namespace support available upon request. I
have been running the SELinux testsuite and booting Fedora,
Rocky 9, and Rocky 8 containers with SELinux enforcing within
the container on a Fedora SELinux-enforcing host OS, a Fedora
SELinux-disabled (no policy) host, and an Ubuntu SELinux-disabled
(no policy) host.
Known remaining issues include:
- Per-namespace checking of all relevant policy capabilities (currently
done for the open_perms capability),
- Proper handling of peer/packet labels when they cross SELinux namespaces,
- Optimizing the implementation for the single SELinux namespace case,
- Review, and if desired, change the kernel interface for unsharing the
SELinux namespace (currently via /sys/fs/selinux/unshare with a
libselinux wrapper),
- Namespace-aware context mount options for sVirt-like setups,
- Namespace support for certain residual networking hooks that lack it
- Anything else noted in the patches themselves.
It is an open question as to whether some or all of the changes could
be merged before all of the above issues are resolved, given that
the support is only exposed to userspace if CONFIG_SECURITY_SELINUX_NS=y
and even then only to privileged userspace. I think at a minimum we
would likely need to optimize the implementation for the single SELinux
namespace case so that it does not introduce any significant overhead
prior to merging, or extend CONFIG_SECURITY_SELINUX_NS to actually
compile away the extra storage and runtime overheads introduced by
the infrastructure. Open to suggestions.
Stephen Smalley (44):
selinux: restore passing of selinux_state
selinux: introduce current_selinux_state
selinux: support multiple selinuxfs instances
selinux: dynamically allocate selinux namespace
netstate,selinux: create the selinux netlink socket per network
namespace
selinux: support per-task/cred selinux namespace
selinux: introduce cred_selinux_state() and use it
selinux: add a selinuxfs interface to unshare selinux namespace
selinuxfs: restrict write operations to the same selinux namespace
selinux: introduce a global SID table
selinux: wrap security server interfaces to use the global SID table
selinux: update hook functions to use correct selinux namespace
selinux: introduce cred_task_has_perm()
selinux: introduce cred_has_extended_perms()
selinux: introduce cred_self_has_perm()
selinux: introduce cred_has_perm()
selinux: introduce cred_ssid_has_perm() and cred_other_has_perm()
selinux: introduce task_obj_perm()
selinux: fix selinux_lsm_getattr() check
selinux: update bprm hooks for selinux namespaces
selinux: add kerneldoc to new permission checking functions
selinux: convert selinux_file_send_sigiotask() to namespace-aware
helper
selinux: rename cred_has_perm*() to cred_tsid_has_perm*()
selinux: convert additional checks to cred_ssid_has_perm()
selinux: introduce selinux_state_has_perm()
selinux: annotate selinuxfs permission checks
selinux: annotate process transition permission checks
selinux: convert xfrm and netlabel permission checks
selinux: switch selinux_lsm_setattr() checks to current namespace
selinux: add limits for SELinux namespaces
selinux: fix namespace creation
selinux: limit selinux netlink notifications to init namespace
selinux: refactor selinux_state_create()
selinux: make open_perms namespace-aware
selinux: split cred_ssid_has_perm() into two cases
selinux: set initial SID context for init to "kernel" in global SID
table
selinux: disallow writes to /sys/fs/selinux/user in non-init
namespaces
selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware
selinux: defer inode init on current selinux state
selinux: init inode from nearest initialized namespace
selinux: allow userspace to detect non-init SELinux namespace
selinux: exempt creation of init SELinux namespace from limits
selinux: introduce a Kconfig option for SELinux namespaces
selinux: fix inode initialization when no namespace is initialized
include/net/net_namespace.h | 3 +
security/selinux/Kconfig | 54 +
security/selinux/Makefile | 2 +-
security/selinux/avc.c | 743 ++++++++--
security/selinux/global_sidtab.c | 758 ++++++++++
security/selinux/hooks.c | 1309 ++++++++++-------
security/selinux/ibpkey.c | 2 +-
security/selinux/ima.c | 37 +-
security/selinux/include/avc.h | 78 +-
security/selinux/include/avc_ss.h | 3 +-
security/selinux/{ss => include}/avtab.h | 0
security/selinux/include/classmap.h | 2 +-
security/selinux/include/conditional.h | 4 +-
security/selinux/{ss => include}/constraint.h | 0
security/selinux/{ss => include}/context.h | 0
security/selinux/{ss => include}/ebitmap.h | 0
security/selinux/include/global_sidtab.h | 22 +
security/selinux/{ss => include}/hashtab.h | 0
security/selinux/include/ima.h | 11 +-
security/selinux/{ss => include}/mls.h | 0
security/selinux/{ss => include}/mls_types.h | 0
security/selinux/include/netif.h | 4 +-
security/selinux/include/netlabel.h | 14 +-
security/selinux/include/netnode.h | 4 +-
security/selinux/include/objsec.h | 29 +-
security/selinux/{ss => include}/policydb.h | 0
security/selinux/include/security.h | 249 ++--
security/selinux/include/selinux_ss.h | 115 ++
security/selinux/{ss => include}/sidtab.h | 5 +
security/selinux/{ss => include}/symtab.h | 0
security/selinux/include/xfrm.h | 4 +-
security/selinux/netif.c | 31 +-
security/selinux/netlabel.c | 32 +-
security/selinux/netlink.c | 42 +-
security/selinux/netnode.c | 25 +-
security/selinux/netport.c | 2 +-
security/selinux/selinuxfs.c | 548 +++++--
security/selinux/ss/services.c | 421 +++---
security/selinux/ss/services.h | 1 +
security/selinux/ss/sidtab.c | 14 +-
security/selinux/status.c | 44 +-
security/selinux/xfrm.c | 47 +-
42 files changed, 3570 insertions(+), 1089 deletions(-)
create mode 100644 security/selinux/global_sidtab.c
rename security/selinux/{ss => include}/avtab.h (100%)
rename security/selinux/{ss => include}/constraint.h (100%)
rename security/selinux/{ss => include}/context.h (100%)
rename security/selinux/{ss => include}/ebitmap.h (100%)
create mode 100644 security/selinux/include/global_sidtab.h
rename security/selinux/{ss => include}/hashtab.h (100%)
rename security/selinux/{ss => include}/mls.h (100%)
rename security/selinux/{ss => include}/mls_types.h (100%)
rename security/selinux/{ss => include}/policydb.h (100%)
create mode 100644 security/selinux/include/selinux_ss.h
rename security/selinux/{ss => include}/sidtab.h (95%)
rename security/selinux/{ss => include}/symtab.h (100%)
--
2.47.1
