Unverified Commit 7d90fb52 authored Feb 24, 2025 by Miklos Szeredi Committed by Christian Brauner Feb 27, 2025

selinux: add FILE__WATCH_MOUNTNS



Watching mount namespaces for changes (mount, umount, move mount) was added
by previous patches.

This patch adds the file/watch_mountns permission that can be applied to
nsfs files (/proc/$$/ns/mnt), making it possible to allow or deny watching
a particular namespace for changes.

Suggested-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/all/CAHC9VhTOmCjCSE2H0zwPOmpFopheexVb6jyovz92ZtpKtoVv6A@mail.gmail.com/


Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://lore.kernel.org/r/20250224154836.958915-1-mszeredi@redhat.com


Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

parent 33cec19d

security/selinux/hooks.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -3395,6 +3395,9 @@ static int selinux_path_notify(const struct path *path, u64 mask,
		case FSNOTIFY_OBJ_TYPE_INODE:
		perm = FILE__WATCH;
		break;
		case FSNOTIFY_OBJ_TYPE_MNTNS:
		perm = FILE__WATCH_MOUNTNS;
		break;
		default:
		return -EINVAL;
		}

security/selinux/include/classmap.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -8,7 +8,7 @@
		COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute", \
		"quotaon", "mounton", "audit_access", "open", "execmod", \
		"watch", "watch_mount", "watch_sb", "watch_with_perm", \
		"watch_reads"
		"watch_reads", "watch_mountns"

		#define COMMON_SOCK_PERMS \
		COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \