On Fri, Dec 03, 2021 at 07:33:39PM -0500, Stefan Berger wrote: > > On 12/3/21 14:11, Stefan Berger wrote: > > > > On 12/3/21 13:50, James Bottomley wrote: > > > > > > > > > > > Where would the vfsmount pointer reside? For now it's in > > > > ima_namespace, but it sounds like it should be in a more centralized > > > > place? Should it also be connected to the user_namespace so we can > > > > pick it up using get_user_ns()? > > > exactly. I think struct user_namespace should have two elements gated > > > by a #ifdef CONFIG_SECURITYFS which are the vfsmount and the > > > mount_count for passing into simple_pin_fs. > > > > Also that we can do for as long as it flies beyond the conversation > > here... :-) Anyone else have an opinion ? > > I moved it now and this greatly reduced the amount of changes. The dentries > are now all in the ima_namespace and it works with one API. Thanks! Ideally you only have one entry in struct user_namespace for ima that encompasses all information needed; not multiple entries. Similar to what I did for binfmt_misc https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/commit/?h=fs.binfmt_misc&id=eb50eb90a694e05f6fd6533951a56ca3ed040761 if that works.
