From: Christian Brauner <brauner@kernel.org>
To: Song Liu <song@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Tejun Heo <tj@kernel.org>, KP Singh <kpsingh@kernel.org>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
cgroups@vger.kernel.org,
Lennart Poettering <lennart@poettering.net>
Subject: Re: [PATCH 1/4] ns: add bpf hooks
Date: Fri, 27 Feb 2026 11:28:44 +0100 [thread overview]
Message-ID: <20260227-nullnummer-eisdiele-08db4c8fe99e@brauner> (raw)
In-Reply-To: <CAPhsuW63sEvK50ELaxo4LxjCS-2RdfxDzuMYhW59PDUHfF0-iQ@mail.gmail.com>
On Tue, Feb 24, 2026 at 03:04:43PM -0800, Song Liu wrote:
> On Thu, Feb 19, 2026 at 4:38 PM Christian Brauner <brauner@kernel.org> wrote:
> [...]
> > @@ -1,6 +1,7 @@
> > // SPDX-License-Identifier: GPL-2.0-only
> > /* Copyright (c) 2025 Christian Brauner <brauner@kernel.org> */
> >
> > +#include <linux/bpf_lsm.h>
> > #include <linux/ns_common.h>
> > #include <linux/nstree.h>
> > #include <linux/proc_ns.h>
> > @@ -77,6 +78,7 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> > ret = proc_alloc_inum(&ns->inum);
> > if (ret)
> > return ret;
> > +
> > /*
> > * Tree ref starts at 0. It's incremented when namespace enters
> > * active use (installed in nsproxy) and decremented when all
> > @@ -86,11 +88,16 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> > atomic_set(&ns->__ns_ref_active, 1);
> > else
> > atomic_set(&ns->__ns_ref_active, 0);
> > - return 0;
> > +
> > + ret = bpf_lsm_namespace_alloc(ns);
> > + if (ret && !inum)
> > + proc_free_inum(ns->inum);
> > + return ret;
> > }
>
> If we change the hook as
>
> bpf_lsm_namespace_alloc(ns, inum);
>
> We can move it to the beginning of __ns_common_init().
> This change allows blocking __ns_common_init() before
> it makes any changes to the ns. Is this a better approach?
I don't think it matters tbh. We have no control when exactly
__ns_common_init() is called. That's up to the containing namespace. We
can't rely on the namespace to have been correctly set up at this time.
My main goal was to have struct ns_common to be fully initialized
already so that direct access to it's field already makes sense.
The containing namespace my already have to rollback a bunch of stuff
anyway.
next prev parent reply other threads:[~2026-02-27 10:28 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 0:38 [PATCH 0/4] bpf: add a few hooks for sandboxing Christian Brauner
2026-02-20 0:38 ` [PATCH 1/4] ns: add bpf hooks Christian Brauner
2026-02-23 10:36 ` Matt Bobrowski
2026-02-23 11:12 ` Christian Brauner
2026-02-24 0:15 ` Matt Bobrowski
2026-02-23 12:44 ` Djalal Harouni
2026-02-27 11:04 ` Christian Brauner
2026-02-24 1:16 ` Matt Bobrowski
2026-02-27 10:33 ` Christian Brauner
2026-03-24 5:10 ` Matt Bobrowski
2026-02-24 13:35 ` Matt Bobrowski
2026-02-27 14:33 ` Christian Brauner
2026-03-24 5:27 ` Matt Bobrowski
2026-02-24 23:04 ` Song Liu
2026-02-27 10:28 ` Christian Brauner [this message]
2026-02-27 16:38 ` Song Liu
2026-03-02 9:46 ` Christian Brauner
2026-03-03 16:44 ` Song Liu
2026-02-20 0:38 ` [PATCH 2/4] cgroup: add bpf hook for attach Christian Brauner
2026-02-20 15:16 ` Tejun Heo
2026-02-21 17:57 ` Christian Brauner
2026-02-23 15:47 ` Michal Koutný
2026-02-27 13:44 ` Christian Brauner
2026-03-09 16:45 ` Michal Koutný
2026-02-20 0:38 ` [PATCH 3/4] selftests/bpf: add ns hook selftest Christian Brauner
2026-03-05 17:36 ` Alan Maguire
2026-02-20 0:38 ` [PATCH 4/4] selftests/bpf: add cgroup attach selftests Christian Brauner
2026-03-05 17:43 ` Alan Maguire
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260227-nullnummer-eisdiele-08db4c8fe99e@brauner \
--to=brauner@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=lennart@poettering.net \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=song@kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.