public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Christian Brauner <brauner@kernel.org>
To: Song Liu <song@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
	 Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	 Martin KaFai Lau <martin.lau@linux.dev>,
	Tejun Heo <tj@kernel.org>, KP Singh <kpsingh@kernel.org>,
	 bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
	cgroups@vger.kernel.org,
	 Lennart Poettering <lennart@poettering.net>
Subject: Re: [PATCH 1/4] ns: add bpf hooks
Date: Fri, 27 Feb 2026 11:28:44 +0100	[thread overview]
Message-ID: <20260227-nullnummer-eisdiele-08db4c8fe99e@brauner> (raw)
In-Reply-To: <CAPhsuW63sEvK50ELaxo4LxjCS-2RdfxDzuMYhW59PDUHfF0-iQ@mail.gmail.com>

On Tue, Feb 24, 2026 at 03:04:43PM -0800, Song Liu wrote:
> On Thu, Feb 19, 2026 at 4:38 PM Christian Brauner <brauner@kernel.org> wrote:
> [...]
> > @@ -1,6 +1,7 @@
> >  // SPDX-License-Identifier: GPL-2.0-only
> >  /* Copyright (c) 2025 Christian Brauner <brauner@kernel.org> */
> >
> > +#include <linux/bpf_lsm.h>
> >  #include <linux/ns_common.h>
> >  #include <linux/nstree.h>
> >  #include <linux/proc_ns.h>
> > @@ -77,6 +78,7 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> >                 ret = proc_alloc_inum(&ns->inum);
> >         if (ret)
> >                 return ret;
> > +
> >         /*
> >          * Tree ref starts at 0. It's incremented when namespace enters
> >          * active use (installed in nsproxy) and decremented when all
> > @@ -86,11 +88,16 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> >                 atomic_set(&ns->__ns_ref_active, 1);
> >         else
> >                 atomic_set(&ns->__ns_ref_active, 0);
> > -       return 0;
> > +
> > +       ret = bpf_lsm_namespace_alloc(ns);
> > +       if (ret && !inum)
> > +               proc_free_inum(ns->inum);
> > +       return ret;
> >  }
> 
> If we change the hook as
> 
>    bpf_lsm_namespace_alloc(ns, inum);
> 
> We can move it to the beginning of __ns_common_init().
> This change allows blocking __ns_common_init() before
> it makes any changes to the ns. Is this a better approach?

I don't think it matters tbh. We have no control when exactly
__ns_common_init() is called. That's up to the containing namespace. We
can't rely on the namespace to have been correctly set up at this time.
My main goal was to have struct ns_common to be fully initialized
already so that direct access to it's field already makes sense.

The containing namespace my already have to rollback a bunch of stuff
anyway.

  reply	other threads:[~2026-02-27 10:28 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-20  0:38 [PATCH 0/4] bpf: add a few hooks for sandboxing Christian Brauner
2026-02-20  0:38 ` [PATCH 1/4] ns: add bpf hooks Christian Brauner
2026-02-23 10:36   ` Matt Bobrowski
2026-02-23 11:12     ` Christian Brauner
2026-02-24  0:15       ` Matt Bobrowski
2026-02-23 12:44   ` Djalal Harouni
2026-02-27 11:04     ` Christian Brauner
2026-02-24  1:16   ` Matt Bobrowski
2026-02-27 10:33     ` Christian Brauner
2026-03-24  5:10       ` Matt Bobrowski
2026-02-24 13:35   ` Matt Bobrowski
2026-02-27 14:33     ` Christian Brauner
2026-03-24  5:27       ` Matt Bobrowski
2026-02-24 23:04   ` Song Liu
2026-02-27 10:28     ` Christian Brauner [this message]
2026-02-27 16:38       ` Song Liu
2026-03-02  9:46         ` Christian Brauner
2026-03-03 16:44           ` Song Liu
2026-02-20  0:38 ` [PATCH 2/4] cgroup: add bpf hook for attach Christian Brauner
2026-02-20 15:16   ` Tejun Heo
2026-02-21 17:57     ` Christian Brauner
2026-02-23 15:47   ` Michal Koutný
2026-02-27 13:44     ` Christian Brauner
2026-03-09 16:45       ` Michal Koutný
2026-02-20  0:38 ` [PATCH 3/4] selftests/bpf: add ns hook selftest Christian Brauner
2026-03-05 17:36   ` Alan Maguire
2026-02-20  0:38 ` [PATCH 4/4] selftests/bpf: add cgroup attach selftests Christian Brauner
2026-03-05 17:43   ` Alan Maguire

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260227-nullnummer-eisdiele-08db4c8fe99e@brauner \
    --to=brauner@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=cgroups@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kpsingh@kernel.org \
    --cc=lennart@poettering.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=song@kernel.org \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox