Re: [PATCH 1/4] ns: add bpf hooks

Next message: Dan Carpenter: "Re: [PATCH v2] staging: rtl8723bs: replace msleep() with fsleep() in rtw_cmd.c"
Previous message: Brian Masney: "Re: [PATCH 01/13] clk: add new flag CLK_ROUNDING_FW_MANAGED"
In reply to: Christian Brauner: "Re: [PATCH 1/4] ns: add bpf hooks"
Next in thread: Christian Brauner: "Re: [PATCH 1/4] ns: add bpf hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Song Liu

Date: Fri Feb 27 2026 - 11:40:09 EST

On Fri, Feb 27, 2026 at 2:28 AM Christian Brauner <brauner@xxxxxxxxxx> wrote:
[...]
> >
> > If we change the hook as
> >
> > bpf_lsm_namespace_alloc(ns, inum);
> >
> > We can move it to the beginning of __ns_common_init().
> > This change allows blocking __ns_common_init() before
> > it makes any changes to the ns. Is this a better approach?
>
> I don't think it matters tbh. We have no control when exactly
> __ns_common_init() is called. That's up to the containing namespace. We
> can't rely on the namespace to have been correctly set up at this time.
> My main goal was to have struct ns_common to be fully initialized
> already so that direct access to it's field already makes sense.

Good point on having ns_common initialized. Besides inum, we
should also pass ns_type and ops into the hook.

OTOH, shall we have the hook before proc_alloc_inum()? With
this change, the hook can block the operation before it causes
any contention on proc_inum_ida. IOW, how about we have:

@@ -71,6 +71,10 @@ int __ns_common_init(struct ns_common *ns, u32
ns_type, const struct proc_ns_ope
ns_debug(ns, ops);
#endif

+ ret = bpf_lsm_namespace_alloc(ns, inum);
+ if (ret)
+ return ret;
+
if (inum)
ns->inum = inum;
else

With this change, ns is already initialized, except the inum.

WDYT?

Thanks,
Song

> The containing namespace my already have to rollback a bunch of stuff
> anyway.