selinux: Implement userns_create hook

Unprivileged user namespace creation is an intended feature to enable sandboxing, however this feature is often used to as an initial step to perform a privilege escalation attack. This patch implements a new user_namespace { create } access control permission to restrict which domains allow or deny user namespace creation. This is necessary for system administrators to quickly protect their systems while waiting for vulnerability patches to be applied. This permission can be used in the following way: allow domA_t domA_t : user_namespace { create }; Signed-off-by: Frederick Lawler <fred@cloudflare.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Frederick Lawler <fred@cloudflare.com> 2022-08-15 19:20:28 +0300
committer: Paul Moore <paul@paul-moore.com> 2022-08-17 00:44:44 +0300
commit: ed5d44d42c95e8a13bb54e614d2269c8740667f9 (patch)
tree: 2a472ce31a076c9cfb1d12825e28fedc7fe582ca /security/selinux/include
parent: d5810139cca39cf2854728b465f8bada4a445302 (diff)
download: linux-ed5d44d42c95e8a13bb54e614d2269c8740667f9.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index ff757ae5f253..0bff55bb9cde 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -254,6 +254,8 @@ const struct security_class_mapping secclass_map[] = {
 	  { COMMON_FILE_PERMS, NULL } },
 	{ "io_uring",
 	  { "override_creds", "sqpoll", NULL } },
+	{ "user_namespace",
+	  { "create", NULL } },
 	{ NULL }
   };
author	Frederick Lawler <fred@cloudflare.com>	2022-08-15 19:20:28 +0300
committer	Paul Moore <paul@paul-moore.com>	2022-08-17 00:44:44 +0300
commit	ed5d44d42c95e8a13bb54e614d2269c8740667f9 (patch)
tree	2a472ce31a076c9cfb1d12825e28fedc7fe582ca /security/selinux/include
parent	d5810139cca39cf2854728b465f8bada4a445302 (diff)
download	linux-ed5d44d42c95e8a13bb54e614d2269c8740667f9.tar.xz