Hello. A few months ago we started a project dedicated to single IMA namespaces. Last years there were a number of patch-sets about this problem, e.g. the last one was from Krzysztof Struczynski. But no one patch-set wasn’t applied to the mainline. Also there is a document (thanks Mimi) that describes the main goal, architecture and design - “IMA Namespacing design considerations”. As a result of investigations: Krzysztof’s patches were successfully adopted for Linux kernel v5.10.30 and tested, at least that allowed to study integrity and IMA a source code a little bit. But that patch-set does not match “...design considerations…”. Then we may take all patches as a base, use “Considerations…” as architecture description and start to implement but it is obvious that it does not make sense without community (review, discussion, etc). In practice I suggest using the git branch next-namespacing-experimental for development purposes. Set this branch to kernel v5.10.30 (it could be different but … I used that, moreover v5.10.x is longterm). After that I and others could start to send patches and discuss, it would be a normal development process. For example it could finally help to decide how exactly a new IMA namespace should be spawned by clone3() or by writing something to a sysfs file. In my opinion clone3() should be used. This is the beginning. Without this we cannot move further. I have no intention to abandon this project. So let’s start. Best regards, Denis.
