On Tue, Jan 25, 2022 at 05:46:33PM -0500, Stefan Berger wrote: > From: Stefan Berger <stefanb@xxxxxxxxxxxxx> > > Move the ima_lsm_policy_notifier into the ima_namespace. Each IMA > namespace can now register its own LSM policy change notifier callback. > The policy change notifier for the init_ima_ns still remains in init_ima() > and therefore handle the registration of the callback for all other > namespaces in init_ima_namespace(). > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > --- I'd double-check that this cannot be used to cause rcu stalls when a lot of ima namespace with a lot of rules are used leading to a dos situation during LSM policy update. The good thing at least is that an LSM policy update can only be triggered for selinux for the whole system.
