selinux: add FILE__WATCH_MOUNTNS

Watching mount namespaces for changes (mount, umount, move mount) was added
by previous patches.

This patch adds the file/watch_mountns permission that can be applied to
nsfs files (/proc/$$/ns/mnt), making it possible to allow or deny watching
a particular namespace for changes.

Suggested-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/all/CAHC9VhTOmCjCSE2H0zwPOmpFopheexVb6jyovz92ZtpKtoVv6A@mail.gmail.com/
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://lore.kernel.org/r/20250224154836.958915-1-mszeredi@redhat.com
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7b867dfec88baaf90dd10a1b9f6c4ce0058ad97c..212cdead2b526717ff632ec2982ecd7888085fa5 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3395,6 +3395,9 @@ static int selinux_path_notify(const struct path *path, u64 mask,
        case FSNOTIFY_OBJ_TYPE_INODE:
                perm = FILE__WATCH;
                break;
+       case FSNOTIFY_OBJ_TYPE_MNTNS:
+               perm = FILE__WATCH_MOUNTNS;
+               break;
        default:
                return -EINVAL;
        }

diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 03e82477dce97faa42bff3369dc838f6796d5491..f9b5ca92a825802d55d50127e305577eb57a0686 100644 (file)
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -8,7 +8,7 @@
        COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute",   \
                "quotaon", "mounton", "audit_access", "open", "execmod", \
                "watch", "watch_mount", "watch_sb", "watch_with_perm",   \
-               "watch_reads"
+               "watch_reads", "watch_mountns"
 
 #define COMMON_SOCK_PERMS                                              \
        COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \