libselinux: add selinux_unshare() and is_selinux_unshared() #498
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Provide a selinux_unshare() wrapper for lsm_set_self_attr(LSM_ATTR_UNSHARE, ...) and other required processing when unsharing the SELinux namespace, and an is_selinux_unshared() wrapper for lsm_get_self_attr(LSM_ATTR_UNSHARE, ...) for detecting whether one is in an unshared SELinux namespace that has not yet been fully initialized. Add a selinux_unshare() interface to unshare the SELinux namespace, and an unshareselinux utility to run a shell or command in its own SELinux and mount namespaces. The selinux_unshare() interface expects the caller to have already unshared its mount namespace and created a MS_REC|MS_PRIVATE mount of / prior to invoking it so that it can freely modify the selinuxfs mount as needed by the unshare operation. The unshareselinux utility demonstrates how to do this prior to calling selinux_unshare(). Upon a successful return from selinux_unshare(), the SELinux namespace will be unshared and there will be no selinuxfs mount on /sys/fs/selinux. The caller can then proceed to mount a new selinuxfs filesystem private to the new namespace, load a policy, set enforcing mode, etc, as is commonly handled by init/systemd during boot. Add an is_selinux_unshared() interface to detect whether one is in an unshared SELinux namespace that has not yet been fully initialized (i.e. no policy loaded yet), and a selinuxunshared utility to use it from a shell or script. The is_selinux_unshared() interface returns 1 iff the SELinux namespace has been unshared and has not yet been fully initialized. It returns 0 if SELinux namespaces are not supported or the namespace has not been unshared or the namespace has been fully initialized. If lsm_get_self_attr(2) return -1 with an errno other than ENOSYS (not implemented) or EOPNOTSUPP (not supported by any active LSM), then is_selinux_unshared() will return -1 with the same errno. Signed-off-by: Stephen Smalley <[email protected]>
Member
Author
|
This is just to trigger CI testing, not for actual merging. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Provide a selinux_unshare() wrapper for
lsm_set_self_attr(LSM_ATTR_UNSHARE, ...) and other required processing when unsharing the SELinux namespace, and an is_selinux_unshared() wrapper for lsm_get_self_attr(LSM_ATTR_UNSHARE, ...) for detecting whether one is in an unshared SELinux namespace that has not yet been fully initialized.
Add a selinux_unshare() interface to unshare the SELinux namespace, and an unshareselinux utility to run a shell or command in its own SELinux and mount namespaces. The selinux_unshare() interface expects the caller to have already unshared its mount namespace and created a MS_REC|MS_PRIVATE mount of / prior to invoking it so that it can freely modify the selinuxfs mount as needed by the unshare operation. The unshareselinux utility demonstrates how to do this prior to calling selinux_unshare(). Upon a successful return from selinux_unshare(), the SELinux namespace will be unshared and there will be no selinuxfs mount on /sys/fs/selinux. The caller can then proceed to mount a new selinuxfs filesystem private to the new namespace, load a policy, set enforcing mode, etc, as is commonly handled by init/systemd during boot.
Add an is_selinux_unshared() interface to detect whether one is in an unshared SELinux namespace that has not yet been fully initialized (i.e. no policy loaded yet), and a selinuxunshared utility to use it from a shell or script. The is_selinux_unshared() interface returns 1 iff the SELinux namespace has been unshared and has not yet been fully initialized. It returns 0 if SELinux namespaces are not supported or the namespace has not been unshared or the namespace has been fully initialized. If lsm_get_self_attr(2) return -1 with an errno other than ENOSYS (not implemented) or EOPNOTSUPP (not supported by any active LSM), then is_selinux_unshared() will return -1 with the same errno.
Please read CONTRIBUTING.md
Contributing Code
Post the patch for the review to the
SELinux mailing list at
[email protected].
When preparing patches, please follow these guidelines:
code meets the Developer's certificate of origin, see below.