Re: [PATCH 1/4] ns: add bpf hooks

[Song Liu]

On Mon, Mar 2, 2026 at 1:46 AM Christian Brauner <brauner@xxxxxxxxxx> wrote:
>
> On Fri, Feb 27, 2026 at 08:38:48AM -0800, Song Liu wrote:
> > On Fri, Feb 27, 2026 at 2:28 AM Christian Brauner <brauner@xxxxxxxxxx> wrote:
> > [...]
> > > >
> > > > If we change the hook as
> > > >
> > > >    bpf_lsm_namespace_alloc(ns, inum);
> > > >
> > > > We can move it to the beginning of __ns_common_init().
> > > > This change allows blocking __ns_common_init() before
> > > > it makes any changes to the ns. Is this a better approach?
> > >
> > > I don't think it matters tbh. We have no control when exactly
> > > __ns_common_init() is called. That's up to the containing namespace. We
> > > can't rely on the namespace to have been correctly set up at this time.
> > > My main goal was to have struct ns_common to be fully initialized
> > > already so that direct access to it's field already makes sense.
> >
> > Good point on having ns_common initialized. Besides inum, we
> > should also pass ns_type and ops into the hook.
>
> But why? The struct ns_common is already fully initialized when it is
> passed to bpf_lsm_namespace_alloc() including ops, inum, ns_type etc.

I meant if we pull bpf_lsm_namespace_alloc() to the beginning of
__ns_common_init(), we need ns_type etc. because ns_common
is not fully initialized. IOW, I agree with your early comment.

> >
> > OTOH, shall we have the hook before proc_alloc_inum()? With
> > this change, the hook can block the operation before it causes
> > any contention on proc_inum_ida. IOW, how about we have:
>
> I think that contention is meaningless and I'd rather have struct
> ns_common fully set up so that all fields can be accessed.

If contention is not a concern, which I believe you know better
than I do, I think this patch works fine. So

Acked-by: Song Liu <song@xxxxxxxxxx>

Thanks,
Song