The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Paul Moore <paul@paul-moore.com>
Cc: "Christian Brauner" <brauner@kernel.org>,
	"Günther Noack" <gnoack@google.com>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	"Daniel Durning" <danieldurning.work@gmail.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Justin Suess" <utilityemal77@gmail.com>,
	"Lennart Poettering" <lennart@poettering.net>,
	"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
	"Nicolas Bouchinet" <nicolas.bouchinet@oss.cyber.gouv.fr>,
	"Shervin Oloumi" <enlightened@google.com>,
	"Tingmao Wang" <m@maowtm.org>,
	kernel-team@cloudflare.com, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2 1/9] security: add LSM blob and hooks for namespaces
Date: Thu, 9 Jul 2026 17:58:44 +0200	[thread overview]
Message-ID: <20260709.paitheut7Ief@digikod.net> (raw)
In-Reply-To: <CAHC9VhSVQ0MLwU=C90FmohAThwaQj-mfB7L03fvkB5A0-J2jCg@mail.gmail.com>

On Thu, Jul 09, 2026 at 09:03:58AM -0400, Paul Moore wrote:
> On Thu, Jul 9, 2026 at 5:12 AM Mickaël Salaün <mic@digikod.net> wrote:
> > On Wed, Jul 08, 2026 at 11:22:17PM -0400, Paul Moore wrote:
> > > On May 27, 2026 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net> wrote:
> > > >
> > > > All namespace types now share the same ns_common infrastructure. Extend
> > > > this to include a security blob so LSMs can start managing namespaces
> > > > uniformly without having to add one-off hooks or security fields to
> > > > every individual namespace type.
> 
> ...
> 
> > > > @@ -91,7 +103,10 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> > > >
> > > >  void __ns_common_free(struct ns_common *ns)
> > > >  {
> > > > -   proc_free_inum(ns->inum);
> > > > +   security_namespace_free(ns);
> > > > +
> > > > +   if (ns->inum > MNT_NS_INO_SPECIAL_MAX)
> > > > +           proc_free_inum(ns->inum);
> > >
> > > The ns->inum check in the if-conditional above isn't quite the same as
> > > the is_anon_ns() check it replaces in free_mnt_ns().  You touch on this
> > > a bit in the changelog, but that really should be explained in the
> > > commit description.
> > >
> > > ... or honestly, should that change be a separate patch?
> >
> > I think it's fine, but it's Christian's patch, so I'll let him answer
> > and propose a new commit description.
> 
> I don't have a strong opinion on either approach, either a separate
> patch or doc update, but one of the two needs to happen.

Noted, I'll follow on this with Christian.

> 
> > > > diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> > > > index d9d3d5973bf5..0f1b208d8eef 100644
> > > > --- a/kernel/nsproxy.c
> > > > +++ b/kernel/nsproxy.c
> > > > @@ -385,6 +385,12 @@ static int prepare_nsset(unsigned flags, struct nsset *nsset)
> > > >
> > > >  static inline int validate_ns(struct nsset *nsset, struct ns_common *ns)
> > > >  {
> > > > +   int ret;
> > > > +
> > > > +   ret = security_namespace_install(nsset, ns);
> > > > +   if (ret)
> > > > +           return ret;
> > > > +
> > > >     return ns->ops->install(nsset, ns);
> > > >  }
> > >
> > > In the previous revision to the patchset I asked about a
> > > security_namespace_switch() hook as we don't know if a namespace is
> > > actually attached to a process until we get to switch_task_namespaces().
> > > Perhaps that was answered, but I don't recall reading any mail about that
> > > and I'm not able to uncover any responses on lore.
> >
> > From the cover letter:
> >
> >   no security_namespace_switch() post-hook is
> >   added in this series: such a hook would only serve LSMs that maintain
> >   per-task state derived from the active namespace set (SELinux-style
> >   state tracking), and no current LSM (including this series) needs that.
> >   Landlock enforces at namespace_install() and namespace_init(), before
> >   the task-to-nsproxy switch.  The hook is left for a separate LSM
> >   infrastructure proposal once a concrete user emerges.
> >
> > This follows the guidance of adding new hooks: there must be at least
> > one user.
> 
> I'm aware of the new hook guidance, I was the one who documented it :)

I know.  I guess that means you're ok with that?

> 
> In the future, it's both helpful and polite to reply to the email
> asking the question with your response.  Adding it to the cover letter
> is fine, but to be perfectly honest, once we get past v1 of a
> patchset, I don't often read the cover letter very closely unless
> there is a significant change.  However, I do look back at the
> previous posting to ensure all the feedback from everyone has been
> either answered or incorporated into the current revision.

I forgot to reply to your email, I didn't mean to be impolite, sorry for
the inconvenience.  It's useful to know that the cover letter is not
always part of your review process.

  reply	other threads:[~2026-07-09 16:05 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-27 18:11 [PATCH v2 0/9] Landlock: Namespace and capability control Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 1/9] security: add LSM blob and hooks for namespaces Mickaël Salaün
2026-06-05 15:06   ` Mickaël Salaün
2026-06-05 18:08     ` Paul Moore
2026-07-09  3:22   ` Paul Moore
2026-07-09  9:12     ` Mickaël Salaün
2026-07-09 13:03       ` Paul Moore
2026-07-09 15:58         ` Mickaël Salaün [this message]
2026-07-10  6:55           ` Christian Brauner
2026-07-10 20:42           ` Paul Moore
2026-05-27 18:11 ` [PATCH v2 2/9] security: Add LSM_AUDIT_DATA_NS for namespace audit records Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 3/9] landlock: Wrap per-layer access masks in struct layer_config Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 4/9] landlock: Enforce namespace use restrictions Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 5/9] landlock: Enforce capability restrictions Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 6/9] selftests/landlock: Add namespace restriction tests Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 7/9] selftests/landlock: Add capability " Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 8/9] samples/landlock: Add capability and namespace restriction support Mickaël Salaün
2026-05-27 18:11 ` [PATCH v2 9/9] landlock: Add documentation for capability and namespace restrictions Mickaël Salaün
2026-06-01  9:37   ` Günther Noack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709.paitheut7Ief@digikod.net \
    --to=mic@digikod.net \
    --cc=brauner@kernel.org \
    --cc=corbet@lwn.net \
    --cc=danieldurning.work@gmail.com \
    --cc=enlightened@google.com \
    --cc=gnoack@google.com \
    --cc=ivanov.mikhail1@huawei-partners.com \
    --cc=kernel-team@cloudflare.com \
    --cc=lennart@poettering.net \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=m@maowtm.org \
    --cc=nicolas.bouchinet@oss.cyber.gouv.fr \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    --cc=utilityemal77@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox