Re: [PATCH 1/4] ns: add bpf hooks

Next message: Joel Fernandes: "[PATCH RFC v1 3/4] rcutorture: Add NOCB01 config for RCU_LAZY torture testing"
Previous message: Ackerley Tng: "Re: [RFC PATCH v1 00/10] guest_memfd: Track amount of memory allocated on inode"
In reply to: Christian Brauner: "Re: [PATCH 1/4] ns: add bpf hooks"
Next in thread: Christian Brauner: "Re: [PATCH 1/4] ns: add bpf hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Song Liu

Date: Tue Feb 24 2026 - 18:08:50 EST

On Thu, Feb 19, 2026 at 4:38 PM Christian Brauner <brauner@xxxxxxxxxx> wrote:
[...]
> @@ -1,6 +1,7 @@
> // SPDX-License-Identifier: GPL-2.0-only
> /* Copyright (c) 2025 Christian Brauner <brauner@xxxxxxxxxx> */
>
> +#include <linux/bpf_lsm.h>
> #include <linux/ns_common.h>
> #include <linux/nstree.h>
> #include <linux/proc_ns.h>
> @@ -77,6 +78,7 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> ret = proc_alloc_inum(&ns->inum);
> if (ret)
> return ret;
> +
> /*
> * Tree ref starts at 0. It's incremented when namespace enters
> * active use (installed in nsproxy) and decremented when all
> @@ -86,11 +88,16 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> atomic_set(&ns->__ns_ref_active, 1);
> else
> atomic_set(&ns->__ns_ref_active, 0);
> - return 0;
> +
> + ret = bpf_lsm_namespace_alloc(ns);
> + if (ret && !inum)
> + proc_free_inum(ns->inum);
> + return ret;
> }

If we change the hook as

bpf_lsm_namespace_alloc(ns, inum);

We can move it to the beginning of __ns_common_init().
This change allows blocking __ns_common_init() before
it makes any changes to the ns. Is this a better approach?

Thanks,
Song

[...]