[PATCH v2 1/9] security: add LSM blob and hooks for namespaces
Christian Brauner
brauner at kernel.org
Fri Jul 10 06:55:21 UTC 2026
On 2026-07-09 17:58 +0200, Mickaël Salaün wrote:
> On Thu, Jul 09, 2026 at 09:03:58AM -0400, Paul Moore wrote:
> > On Thu, Jul 9, 2026 at 5:12 AM Mickaël Salaün <mic at digikod.net> wrote:
> > > On Wed, Jul 08, 2026 at 11:22:17PM -0400, Paul Moore wrote:
> > > > On May 27, 2026 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
> > > > >
> > > > > All namespace types now share the same ns_common infrastructure. Extend
> > > > > this to include a security blob so LSMs can start managing namespaces
> > > > > uniformly without having to add one-off hooks or security fields to
> > > > > every individual namespace type.
> >
> > ...
> >
> > > > > @@ -91,7 +103,10 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> > > > >
> > > > > void __ns_common_free(struct ns_common *ns)
> > > > > {
> > > > > - proc_free_inum(ns->inum);
> > > > > + security_namespace_free(ns);
> > > > > +
> > > > > + if (ns->inum > MNT_NS_INO_SPECIAL_MAX)
> > > > > + proc_free_inum(ns->inum);
> > > >
> > > > The ns->inum check in the if-conditional above isn't quite the same as
> > > > the is_anon_ns() check it replaces in free_mnt_ns(). You touch on this
> > > > a bit in the changelog, but that really should be explained in the
> > > > commit description.
> > > >
> > > > ... or honestly, should that change be a separate patch?
> > >
> > > I think it's fine, but it's Christian's patch, so I'll let him answer
> > > and propose a new commit description.
> >
> > I don't have a strong opinion on either approach, either a separate
> > patch or doc update, but one of the two needs to happen.
>
> Noted, I'll follow on this with Christian.
I think we should add this as a separate patch.
More information about the Linux-security-module-archive
mailing list