From: Alexander Kozhevnikov <alexander.kozhevnikov@huawei.com>
To: <paul@paul-moore.com>
Cc: <alexander.kozhevnikov@huawei.com>, <artem.kuzin@huawei.com>,
<hw.likun@huawei.com>, <igor.baranov@huawei.com>,
<jamorris@linux.microsoft.com>,
<linux-security-module@vger.kernel.org>,
<selinux@vger.kernel.org>, <stephen.smalley.work@gmail.com>,
<xiujianfeng@huawei.com>, <yusongping@huawei.com>,
<anton.sirazetdinov@huawei.com>
Subject: [RFC PATCH 0/7] SELinux-namespace
Date: Mon, 18 Apr 2022 17:45:45 +0800 [thread overview]
Message-ID: <20220418094552.128898-1-alexander.kozhevnikov@huawei.com> (raw)
In-Reply-To: <CAHC9VhTDu1GDxJwFg5gAMWhuMKUWEU5eXuTr_6eG=tGwiGsMTw@mail.gmail.com>
From: Igor Baranov <igor.baranov@huawei.com>
Continue with the previous discussion, we decided to do the following: publish all of our patches.
The aim of these series patches is to extend the functionality and
stability of selinux namespace base-on the existing work for a basic
PoC.
To try our patches you need to:
* Checkout https://github.com/stephensmalley/selinux-kernel/commit/3a3b3ad9bd266f0199a2db6c0aa15c343c2307f1
* Apply our patches.
* Compile the kernel and boot into it.
* Next, we recommend creating a privileged Docker container with a SELinux-based distribution (we used CentOS 7) with mapping /sys/fs/selinux:/sys/fs/selinux
* Then log into into the container and do the following:
# create new namespace with name "ns", unshare previous one
echo "ns" > /sys/fs/selinux/unshare; unshare --fork -m
# remount selinuxfs, load policy
umount /sys/fs/selinux; mount -t selinuxfs none /sys/fs/selinux/; load_policy
# relabel everything
restorecon / -Rv
# check xattr's
ls -Z
# now enter enforcing mode
setenforce 1
# check enforce
getenforce
First of all, there is a need to build the solid code base for the
workable PoC with the latest branch working-selinux, hence the related
commits picked from the sources comprise the first two patches.
And the rest five patches are the major work, detailed description
can be check in each commit message:
(1) Infrastructure management of the superblock
(2) support per-namespace superblock security structures
(3) Fix initilization of the superblock security under spinlock
(4) Namespacing for xattrs
(5) Migrate all open files and all vma to new namespace
(6) Fixing superblock security structure memory leakage
(7) Fixing concurrency issues
Hope the initial efforts in this direction could re-initiate the discussion.
Thanks.
README.SELINUX-NAMESPACES | 22 +
include/linux/lsm_hooks.h | 1 +
security/security.c | 46 +-
security/selinux/hooks.c | 682 +++++++++++++++++++++-------
security/selinux/include/objsec.h | 41 +-
security/selinux/include/security.h | 23 +-
security/selinux/selinuxfs.c | 368 +++++++++++----
security/selinux/ss/services.c | 32 +-
security/smack/smack.h | 6 +
security/smack/smack_lsm.c | 35 +-
10 files changed, 950 insertions(+), 306 deletions(-)
create mode 100644 README.SELINUX-NAMESPACES
--
2.34.1
Alexander Kozhevnikov,
Igor Baranov,
Advanced Software Technology Lab
Huawei
next prev parent reply other threads:[~2022-04-18 9:46 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <22c0d7a1-b658-64ce-f099-0b3617ef8e38@huawei.com>
[not found] ` <CAEjxPJ5-w83HMRGuDHHqMthkju3bxT0gZ-EiiTE=t5UhQqQ_ug@mail.gmail.com>
2021-07-19 13:54 ` issues about selinux namespace xiujianfeng
2021-07-20 2:56 ` Paul Moore
2021-07-21 13:12 ` xiujianfeng
2022-02-16 12:52 ` [RFC PATCH 0/1] SELinux-namespaces Igor Baranov
2022-02-16 12:52 ` [RFC PATCH 1/1] selinuxns: Replace state pointer with namespace id Igor Baranov
2022-02-16 17:08 ` [RFC PATCH 0/1] SELinux-namespaces Casey Schaufler
2022-02-16 20:47 ` Paul Moore
2022-04-18 9:45 ` Alexander Kozhevnikov [this message]
2022-04-18 9:45 ` [RFC PATCH 1/7] LSM: Infrastructure management of the superblock Alexander Kozhevnikov
2022-04-18 9:45 ` [RFC PATCH 2/7] selinux: support per-namespace superblock security structures Alexander Kozhevnikov
2022-04-18 9:45 ` [RFC PATCH 3/7] SELINUXNS: Fix initilization of the superblock security under spinlock Alexander Kozhevnikov
2022-04-18 9:45 ` [RFC PATCH 4/7] SELINUXNS: Namespacing for xattrs Alexander Kozhevnikov
2022-04-18 9:45 ` [RFC PATCH 5/7] SELINUXNS: Migrate all open files and all vma to new namespace Alexander Kozhevnikov
2022-04-18 9:45 ` [RFC PATCH 6/7] SELINUXNS: Fixing superblock security structure memory leakage Alexander Kozhevnikov
2022-04-18 9:45 ` [RFC PATCH 7/7] SELINUXNS: Fixing concurrency issues Alexander Kozhevnikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220418094552.128898-1-alexander.kozhevnikov@huawei.com \
--to=alexander.kozhevnikov@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=artem.kuzin@huawei.com \
--cc=hw.likun@huawei.com \
--cc=igor.baranov@huawei.com \
--cc=jamorris@linux.microsoft.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=xiujianfeng@huawei.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.