Re: [PATCH 1/4] ns: add bpf hooks
From: Christian Brauner
Date: Fri Feb 27 2026 - 05:29:28 EST
On Tue, Feb 24, 2026 at 03:04:43PM -0800, Song Liu wrote:
> On Thu, Feb 19, 2026 at 4:38 PM Christian Brauner <brauner@xxxxxxxxxx> wrote:
> [...]
> > @@ -1,6 +1,7 @@
> > // SPDX-License-Identifier: GPL-2.0-only
> > /* Copyright (c) 2025 Christian Brauner <brauner@xxxxxxxxxx> */
> >
> > +#include <linux/bpf_lsm.h>
> > #include <linux/ns_common.h>
> > #include <linux/nstree.h>
> > #include <linux/proc_ns.h>
> > @@ -77,6 +78,7 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> > ret = proc_alloc_inum(&ns->inum);
> > if (ret)
> > return ret;
> > +
> > /*
> > * Tree ref starts at 0. It's incremented when namespace enters
> > * active use (installed in nsproxy) and decremented when all
> > @@ -86,11 +88,16 @@ int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_ope
> > atomic_set(&ns->__ns_ref_active, 1);
> > else
> > atomic_set(&ns->__ns_ref_active, 0);
> > - return 0;
> > +
> > + ret = bpf_lsm_namespace_alloc(ns);
> > + if (ret && !inum)
> > + proc_free_inum(ns->inum);
> > + return ret;
> > }
>
> If we change the hook as
>
> bpf_lsm_namespace_alloc(ns, inum);
>
> We can move it to the beginning of __ns_common_init().
> This change allows blocking __ns_common_init() before
> it makes any changes to the ns. Is this a better approach?
I don't think it matters tbh. We have no control when exactly
__ns_common_init() is called. That's up to the containing namespace. We
can't rely on the namespace to have been correctly set up at this time.
My main goal was to have struct ns_common to be fully initialized
already so that direct access to it's field already makes sense.
The containing namespace my already have to rollback a bunch of stuff
anyway.