[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250617140531.2036-13-stephen.smalley.work@gmail.com>
Date: Tue, 17 Jun 2025 10:04:59 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
horms@...nel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v5 12/42] selinux: exempt creation of init SELinux namespace from limits
Exempt the creation of the init SELinux namespace from the
maxns limit. It was already exempted from the maxnsdepth
limit by virtue of only applying that check when there
is a parent namespace. Otherwise, if one were to set
CONFIG_SECURITY_SELINUX_MAXNS to 0, the creation of the
init SELinux namespace would fail.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d65107cc5cb2..746ef41b959c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7787,7 +7787,7 @@ int selinux_state_create(struct selinux_state *parent,
struct selinux_state *newstate;
int rc;
- if (atomic_read(&selinux_nsnum) >= selinux_maxns)
+ if (parent && atomic_read(&selinux_nsnum) >= selinux_maxns)
return -ENOSPC;
if (parent && parent->depth >= selinux_maxnsdepth)
--
2.49.0
Powered by blists - more mailing lists