diff --git a/gradm.l b/gradm.l index 324c992..ce0c3c6 100644 --- a/gradm.l +++ b/gradm.l @@ -122,7 +122,7 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} gradmerror("invalid pathname error"); return SUBJ_NAME; } -[TKCAOtolhpkvdbriasx]+ { +[TKCAONtolhpkvdbriasx]+ { gradmlval.num = proc_subject_mode_conv(yytext); return SUBJ_MODE; } diff --git a/gradm_defs.h b/gradm_defs.h index ddd9c2b..1b5d19f 100644 --- a/gradm_defs.h +++ b/gradm_defs.h @@ -227,7 +227,8 @@ enum { GR_KERNELAUTH = 0x00020000, GR_ATSECURE = 0x00040000, GR_SHMEXEC = 0x00080000, - GR_GLOBANCHOR = 0x00100000 + GR_CREATEMNTNS = 0x00100000, + GR_GLOBANCHOR = 0x00200000 }; enum { diff --git a/gradm_human.c b/gradm_human.c index 39d843d..49b70b3 100644 --- a/gradm_human.c +++ b/gradm_human.c @@ -70,7 +70,8 @@ static struct subj_mode_name_table { GR_POVERRIDE, 't'}, { GR_KERNELAUTH, 'a'}, { GR_ATSECURE, 's'}, { - GR_SHMEXEC, 'x'} + GR_SHMEXEC, 'x'}, { + GR_CREATEMNTNS, 'N'} }; void diff --git a/gradm_parse.c b/gradm_parse.c index aa8a053..5a11164 100644 --- a/gradm_parse.c +++ b/gradm_parse.c @@ -875,6 +875,9 @@ proc_subject_mode_conv(const char *mode) case 'O': retmode |= GR_IGNORE; break; + case 'N': + retmode |= GR_CREATEMNTNS; + break; case 'o': retmode |= GR_OVERRIDE; break; diff --git a/policy b/policy index 8651f64..97ff36e 100644 --- a/policy +++ b/policy @@ -105,6 +105,13 @@ # (enables the same environment sanitization that occurs in glibc # upon execution of a suid binary) # x -> allows executable anonymous shared memory for this subject +# N -> allows this process to create mount namespaces (like LXC) +# processes within the mnt namespace will keep this subject, but will +# have full access over their mnt namespace. Since the subject is +# kept, capability/resource/socket policies will apply to any processes +# started via this subject +# This is a stop-gap measure in lieu of "proper" support for mnt namespaces +# (whatever that may be) # # user/group transitions: # You may now specify what users and groups a given subject can