[PATCH v6 12/42] selinux: exempt creation of init SELinux namespace from limits

[PATCH v6 00/42] SELinux namespace support · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 01/42] selinux: restore passing of selinux_state · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 03/42] selinux: support multiple selinuxfs instances · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 02/42] selinux: introduce current_selinux_state · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 04/42] selinux: dynamically allocate selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 05/42] netstate,selinux: create the selinux netlink socket per network namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 06/42] selinux: limit selinux netlink notifications to init namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 07/42] selinux: support per-task/cred selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 08/42] selinux: introduce cred_selinux_state() and use it · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 09/42] selinux: init inode from nearest initialized namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 10/42] selinux: add a selinuxfs interface to unshare selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 11/42] selinux: add limits for SELinux namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 12/42] selinux: exempt creation of init SELinux namespace from limits · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 13/42] selinux: refactor selinux_state_create() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 14/42] selinux: allow userspace to detect non-init SELinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 15/42] selinuxfs: restrict write operations to the same selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 16/42] selinux: introduce a global SID table · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 17/42] selinux: wrap security server interfaces to use the global SID table · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 18/42] selinux: introduce a Kconfig option for SELinux namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 20/42] selinux: maintain a small cache in the global SID table · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 22/42] selinux: introduce cred_task_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 21/42] selinux: update hook functions to use correct selinux namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 23/42] selinux: introduce cred_has_extended_perms() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 24/42] selinux: introduce cred_self_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 25/42] selinux: introduce cred_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 26/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 27/42] selinux: introduce task_obj_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 28/42] selinux: update bprm hooks for selinux namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 29/42] selinux: add kerneldoc to new permission checking functions · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 32/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 33/42] selinux: convert additional checks to cred_ssid_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 34/42] selinux: introduce selinux_state_has_perm() · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 35/42] selinux: annotate selinuxfs permission checks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 36/42] selinux: annotate process transition permission checks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 37/42] selinux: convert xfrm and netlabel permission checks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 38/42] selinux: switch selinux_lsm_setattr() checks to current namespace · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 39/42] selinux: make open_perms namespace-aware · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 40/42] selinux: split cred_ssid_has_perm() into two cases · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20
[PATCH v6 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces · Stephen Smalley <stephen.smalley.work@gmail.com> · 2025-06-20

STALE367d

Revisions (7)

2025-01-02 rfc [diff vs current]
2025-05-15 v2 [diff vs current]
2025-05-20 v3 [diff vs current]
2025-06-10 v4 [diff vs current]
2025-06-17 v5 [diff vs current]
2025-06-20 v6 current
2025-08-14 v7 [diff vs current]

From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: 2025-06-20 17:45:30
Also in: selinux
Subsystem: selinux security module, the rest · Maintainers: Paul Moore, Stephen Smalley, Linus Torvalds

Exempt the creation of the init SELinux namespace from the
maxns limit. It was already exempted from the maxnsdepth
limit by virtue of only applying that check when there
is a parent namespace. Otherwise, if one were to set
CONFIG_SECURITY_SELINUX_MAXNS to 0, the creation of the
init SELinux namespace would fail.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bf75cabdc86f..2d08c0bd4eba 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -7799,7 +7799,7 @@ int selinux_state_create(struct selinux_state *parent,
 	struct selinux_state *newstate;
 	int rc;
 
-	if (atomic_read(&selinux_nsnum) >= selinux_maxns)
+	if (parent && atomic_read(&selinux_nsnum) >= selinux_maxns)
 		return -ENOSPC;
 
 	if (parent && parent->depth >= selinux_maxnsdepth)

-- 
2.49.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help