Re: [PATCH RFC] security: add LSM blob and hooks for namespaces

Next message: Peter Rosin: "Re: [PATCH v6 2/5] i2c: mux: add support for per channel bus frequency"
Previous message: Alice Ryhl: "Re: [PATCH v2] rust: page: add byte-wise atomic memory copy methods"
In reply to: Casey Schaufler: "Re: [PATCH RFC] security: add LSM blob and hooks for namespaces"
Next in thread: Casey Schaufler: "Re: [PATCH RFC] security: add LSM blob and hooks for namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christian Brauner

Date: Tue Feb 17 2026 - 04:39:37 EST

On Mon, Feb 16, 2026 at 09:34:57AM -0800, Casey Schaufler wrote:
> On 2/16/2026 5:52 AM, Christian Brauner wrote:
> > All namespace types now share the same ns_common infrastructure. Extend
> > this to include a security blob so LSMs can start managing namespaces
> > uniformly without having to add one-off hooks or security fields to
> > every individual namespace type.
>
> The implementation appears sound.
>
> I have to question whether having LSM controls on namespaces is reasonable.

This is already in active use today but only in a very limited capacity.
This generalizes it.

> I suppose that you could have a system where (for example) SELinux runs
> in permissive mode except within a specific user namespace, where it would
> enforce policy. Do you have a use case in mind?

We will use it in systemd services and containers to monitor and
supervise namespaces.