git.baikalelectronics.ru Git - kernel.git/commit

author	Frederick Lawler <fred@cloudflare.com>
	Mon, 15 Aug 2022 16:20:28 +0000 (11:20 -0500)
committer	Paul Moore <paul@paul-moore.com>
	Tue, 16 Aug 2022 21:44:44 +0000 (17:44 -0400)
commit	5da10bbdda7a913a4b6cab3b581029ec739c41d2
tree	2a472ce31a076c9cfb1d12825e28fedc7fe582ca	tree \| snapshot
parent	3388e6f8fa6ac0c25cedc5c18b27926185414fab	commit \| diff

selinux: Implement userns_create hook

Unprivileged user namespace creation is an intended feature to enable
sandboxing, however this feature is often used to as an initial step to
perform a privilege escalation attack.

This patch implements a new user_namespace { create } access control
permission to restrict which domains allow or deny user namespace
creation. This is necessary for system administrators to quickly protect
their systems while waiting for vulnerability patches to be applied.

This permission can be used in the following way:

allow domA_t domA_t : user_namespace { create };

Signed-off-by: Frederick Lawler <fred@cloudflare.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

security/selinux/hooks.c		diff \| blob \| history
security/selinux/include/classmap.h		diff \| blob \| history