diff options
| author |   Frederick Lawler <fred@cloudflare.com> | 2022-08-15 11:20:28 -0500 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2022-08-16 17:44:44 -0400 |
| commit | ed5d44d42c95e8a13bb54e614d2269c8740667f9 (patch) | |
| tree | 2a472ce31a076c9cfb1d12825e28fedc7fe582ca /security/selinux/include | |
| parent | selftests/bpf: Add tests verifying bpf lsm userns_create hook (diff) | |
| download | linux-dev-ed5d44d42c95e8a13bb54e614d2269c8740667f9.tar.xz linux-dev-ed5d44d42c95e8a13bb54e614d2269c8740667f9.zip | |
selinux: Implement userns_create hook
Unprivileged user namespace creation is an intended feature to enable
sandboxing, however this feature is often used to as an initial step to
perform a privilege escalation attack.
This patch implements a new user_namespace { create } access control
permission to restrict which domains allow or deny user namespace
creation. This is necessary for system administrators to quickly protect
their systems while waiting for vulnerability patches to be applied.
This permission can be used in the following way:
allow domA_t domA_t : user_namespace { create };
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/include')
| -rw-r--r-- | security/selinux/include/classmap.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index ff757ae5f253..0bff55bb9cde 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -254,6 +254,8 @@ const struct security_class_mapping secclass_map[] = { { COMMON_FILE_PERMS, NULL } }, { "io_uring", { "override_creds", "sqpoll", NULL } }, + { "user_namespace", + { "create", NULL } }, { NULL } }; |