selinux: add FILE__WATCH_MOUNTNS

Watching mount namespaces for changes (mount, umount, move mount) was added by previous patches. This patch adds the file/watch_mountns permission that can be applied to nsfs files (/proc/$$/ns/mnt), making it possible to allow or deny watching a particular namespace for changes. Suggested-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/all/CAHC9VhTOmCjCSE2H0zwPOmpFopheexVb6jyovz92ZtpKtoVv6A@mail.gmail.com/ Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Link: https://lore.kernel.org/r/20250224154836.958915-1-mszeredi@redhat.com Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Christian Brauner <brauner@kernel.org>
author: Miklos Szeredi <mszeredi@redhat.com> 2025-02-24 16:48:36 +0100
committer: Christian Brauner <brauner@kernel.org> 2025-02-27 09:16:04 +0100
commit: 7d90fb525319d9761a8560bbf8287bcc9789bfec (patch)
tree: f9436e169772d8b07138ddd036eff6bd26ccc7f8 /security/selinux/include
parent: 33cec19dc022369e02f860150e5dfe32708016dc (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 03e82477dce9..f9b5ca92a825 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -8,7 +8,7 @@
 	COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute",   \
 		"quotaon", "mounton", "audit_access", "open", "execmod", \
 		"watch", "watch_mount", "watch_sb", "watch_with_perm",   \
-		"watch_reads"
+		"watch_reads", "watch_mountns"
 
 #define COMMON_SOCK_PERMS                                              \
 	COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \
author	Miklos Szeredi <mszeredi@redhat.com>	2025-02-24 16:48:36 +0100
committer	Christian Brauner <brauner@kernel.org>	2025-02-27 09:16:04 +0100
commit	7d90fb525319d9761a8560bbf8287bcc9789bfec (patch)
tree	f9436e169772d8b07138ddd036eff6bd26ccc7f8 /security/selinux/include
parent	33cec19dc022369e02f860150e5dfe32708016dc (diff)