On Fri, Dec 03, 2021 at 07:33:39PM -0500, Stefan Berger wrote:

On 12/3/21 14:11, Stefan Berger wrote:

quoted

On 12/3/21 13:50, James Bottomley wrote:

quoted

quoted

Where would the vfsmount pointer reside? For now it's in
ima_namespace, but it sounds like it should be in a more centralized
place? Should it also be  connected to the user_namespace so we can
pick it up using get_user_ns()?

exactly.  I think struct user_namespace should have two elements gated
by a #ifdef CONFIG_SECURITYFS which are the vfsmount and the
mount_count for passing into simple_pin_fs.

Also that we can do for as long as it flies beyond the conversation
here... :-) Anyone else have an opinion ?

I moved it now and this greatly reduced the amount of changes. The dentries
are now all in the ima_namespace and it works with one API. Thanks!

Ideally you only have one entry in struct user_namespace for ima that
encompasses all information needed; not multiple entries. Similar to
what I did for binfmt_misc
https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/commit/?h=fs.binfmt_misc&id=eb50eb90a694e05f6fd6533951a56ca3ed040761
if that works.