Security for setns system call

Question

Are there any relevant LSM hooks in the Linux kernel, not proposed patches, that can be used to secure the use of the setns system call? If there isn't, then what can be used to restrict the namespaces that a process can switch into?

[The man page](https://man7.org/linux/man-pages/man2/setns.2.html) explains in detail exactly what restrictions there are on joining each type of namespace. What specific type of namespace do you want to restrict, and why are the already-available options not suitable? — Joseph Sible-Reinstate Monica, Apr 17 '21 at 01:31
@JosephSibleReinstateMonica Something granular and configurable, a little like the way most LSM policies. The purpose is to prevent processes originating in one mount namespace from switching into any ancestor, sibling, or cousin mount namespace. — Melab, Apr 17 '21 at 16:37
Do you want to restrict processes that are running as root? If so, why, and can you elaborate more on your threat model? If not, doesn't the requirement to have `CAP_SYS_ADMIN` in both its user namespace and the new mount namespace's user namespace already prevent that? — Joseph Sible-Reinstate Monica, Apr 17 '21 at 16:39
@JosephSibleReinstateMonica That is part of it. `CAP_SYS_ADMIN` is not granular and grants the ability to switch between all namespaces. The solution must be able to restrict particular processes from switching to particular namespaces. — Melab, Apr 18 '21 at 21:45
Which of these describes your situation? 1. You have a process that does have `CAP_SYS_ADMIN` and so can currently switch to any namespace, but you want to restrict it so it can switch to some but not others. 2. You have a process that doesn't have `CAP_SYS_ADMIN` and so can't currently switch namespaces at all, but you want to allow it to switch to certain ones. — Joseph Sible-Reinstate Monica, Apr 18 '21 at 21:47

Security for setns system call

0 Answers0