diff options
| author | Miklos Szeredi <mszeredi@redhat.com> | 2025-02-24 16:48:36 +0100 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2025-02-27 09:16:04 +0100 |
| commit | 7d90fb525319d9761a8560bbf8287bcc9789bfec (patch) | |
| tree | f9436e169772d8b07138ddd036eff6bd26ccc7f8 /security/selinux/hooks.c | |
| parent | 33cec19dc022369e02f860150e5dfe32708016dc (diff) | |
| download | linux-7d90fb525319d9761a8560bbf8287bcc9789bfec.tar.gz linux-7d90fb525319d9761a8560bbf8287bcc9789bfec.tar.bz2 linux-7d90fb525319d9761a8560bbf8287bcc9789bfec.zip | |
selinux: add FILE__WATCH_MOUNTNS
Watching mount namespaces for changes (mount, umount, move mount) was added
by previous patches.
This patch adds the file/watch_mountns permission that can be applied to
nsfs files (/proc/$$/ns/mnt), making it possible to allow or deny watching
a particular namespace for changes.
Suggested-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/all/CAHC9VhTOmCjCSE2H0zwPOmpFopheexVb6jyovz92ZtpKtoVv6A@mail.gmail.com/
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://lore.kernel.org/r/20250224154836.958915-1-mszeredi@redhat.com
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7b867dfec88b..212cdead2b52 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3395,6 +3395,9 @@ static int selinux_path_notify(const struct path *path, u64 mask, case FSNOTIFY_OBJ_TYPE_INODE: perm = FILE__WATCH; break; + case FSNOTIFY_OBJ_TYPE_MNTNS: + perm = FILE__WATCH_MOUNTNS; + break; default: return -EINVAL; } |