[RFC,42/44] selinux: exempt creation of init SELinux namespace from limits

Commit Message

Stephen Smalley Jan. 2, 2025, 4:45 p.m. UTC

Exempt the creation of the init SELinux namespace from the
maxns limit. It was already exempted from the maxnsdepth
limit by virtue of only applying that check when there
is a parent namespace. Otherwise, if one were to set
CONFIG_SECURITY_SELINUX_MAXNS to 0, the creation of the
init SELinux namespace would fail.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5ce0e2afd84f..8c0e44effdbc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7635,7 +7635,7 @@  int selinux_state_create(const struct cred *cred)
 	struct selinux_state *newstate;
 	int rc;
 
-	if (atomic_read(&selinux_nsnum) >= selinux_maxns)
+	if (parent && atomic_read(&selinux_nsnum) >= selinux_maxns)
 		return -ENOSPC;
 
 	if (parent && parent->depth >= selinux_maxnsdepth)