[PATCH v2 1/9] security: add LSM blob and hooks for namespaces
Mickaël Salaün
mic at digikod.net
Thu Jul 9 15:58:44 UTC 2026
On Thu, Jul 09, 2026 at 09:03:58AM -0400, Paul Moore wrote:
> On Thu, Jul 9, 2026 at 5:12 AM Mickaël Salaün <mic at digikod.net> wrote:
> > On Wed, Jul 08, 2026 at 11:22:17PM -0400, Paul Moore wrote:
> > > On May 27, 2026 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
> > > >
> > > > All namespace types now share the same ns_common infrastructure. Extend
> > > > this to include a security blob so LSMs can start managing namespaces
> > > > uniformly without having to add one-off hooks or security fields to
> > > > every individual namespace type.
>
> ...
>
> > > > @@ -91,7 +103,10 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> > > >
> > > > void __ns_common_free(struct ns_common *ns)
> > > > {
> > > > - proc_free_inum(ns->inum);
> > > > + security_namespace_free(ns);
> > > > +
> > > > + if (ns->inum > MNT_NS_INO_SPECIAL_MAX)
> > > > + proc_free_inum(ns->inum);
> > >
> > > The ns->inum check in the if-conditional above isn't quite the same as
> > > the is_anon_ns() check it replaces in free_mnt_ns(). You touch on this
> > > a bit in the changelog, but that really should be explained in the
> > > commit description.
> > >
> > > ... or honestly, should that change be a separate patch?
> >
> > I think it's fine, but it's Christian's patch, so I'll let him answer
> > and propose a new commit description.
>
> I don't have a strong opinion on either approach, either a separate
> patch or doc update, but one of the two needs to happen.
Noted, I'll follow on this with Christian.
>
> > > > diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> > > > index d9d3d5973bf5..0f1b208d8eef 100644
> > > > --- a/kernel/nsproxy.c
> > > > +++ b/kernel/nsproxy.c
> > > > @@ -385,6 +385,12 @@ static int prepare_nsset(unsigned flags, struct nsset *nsset)
> > > >
> > > > static inline int validate_ns(struct nsset *nsset, struct ns_common *ns)
> > > > {
> > > > + int ret;
> > > > +
> > > > + ret = security_namespace_install(nsset, ns);
> > > > + if (ret)
> > > > + return ret;
> > > > +
> > > > return ns->ops->install(nsset, ns);
> > > > }
> > >
> > > In the previous revision to the patchset I asked about a
> > > security_namespace_switch() hook as we don't know if a namespace is
> > > actually attached to a process until we get to switch_task_namespaces().
> > > Perhaps that was answered, but I don't recall reading any mail about that
> > > and I'm not able to uncover any responses on lore.
> >
> > From the cover letter:
> >
> > no security_namespace_switch() post-hook is
> > added in this series: such a hook would only serve LSMs that maintain
> > per-task state derived from the active namespace set (SELinux-style
> > state tracking), and no current LSM (including this series) needs that.
> > Landlock enforces at namespace_install() and namespace_init(), before
> > the task-to-nsproxy switch. The hook is left for a separate LSM
> > infrastructure proposal once a concrete user emerges.
> >
> > This follows the guidance of adding new hooks: there must be at least
> > one user.
>
> I'm aware of the new hook guidance, I was the one who documented it :)
I know. I guess that means you're ok with that?
>
> In the future, it's both helpful and polite to reply to the email
> asking the question with your response. Adding it to the cover letter
> is fine, but to be perfectly honest, once we get past v1 of a
> patchset, I don't often read the cover letter very closely unless
> there is a significant change. However, I do look back at the
> previous posting to ensure all the feedback from everyone has been
> either answered or incorporated into the current revision.
I forgot to reply to your email, I didn't mean to be impolite, sorry for
the inconvenience. It's useful to know that the cover letter is not
always part of your review process.
More information about the Linux-security-module-archive
mailing list