To prevent modifying the enforcing status or resetting the AVC in the userspace policy enforcers, do not deliver SELinux netlink notifications to the init network namespace unless they were generated by the init SELinux namespace. If you want to receive SELinux netlink notifications in a non-init SELinux namespace, then unshare your network namespace too. Otherwise, just map the SELinux status page (/sys/fs/selinux/status) to check the enforcing status and to detect policy reloads which is now the default behavior in libselinux on any kernels that support it. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- security/selinux/netlink.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index 03678a76f4bb..fb55d3ba25f5 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c @@ -70,6 +70,17 @@ static void selnl_notify(int msgtype, void *data) struct sk_buff *skb; struct nlmsghdr *nlh; + /* + * Do not deliver SELinux netlink notifications to the + * init network namespace if they were not generated + * by the init selinux namespace. Unshare network + * namespace if you want to receive them; otherwise, + * just get updates via the SELinux status page. + */ + if (current_selinux_state != init_selinux_state && + net_eq(current->nsproxy->net_ns, &init_net)) + return; + len = selnl_msglen(msgtype); skb = nlmsg_new(len, GFP_USER); -- 2.47.1
