On 12/11/21 06:00, Christian Brauner wrote:

On Fri, Dec 10, 2021 at 02:47:33PM -0500, Stefan Berger wrote:

quoted

Tie IMA's files in SecurityFS to the IMA namespace they belong to so that
also file descriptor that were passed or inherited to other user/IMA
namespaces will always access the data of the IMA namespace they originally
belonged to.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
  security/integrity/ima/ima_fs.c     | 74 ++++++++++++++++++++++++-----
  security/integrity/ima/ima_policy.c |  4 +-
  2 files changed, 63 insertions(+), 15 deletions(-)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 0e582ceecc7f..a136d14f29ec 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c

@@ -35,6 +35,20 @@ static int __init default_canonical_fmt_setup(char *str)
  }
  __setup("ima_canonical_fmt", default_canonical_fmt_setup);
  
+static inline struct user_namespace *ima_user_ns_from_file(struct file *filp)
+{
+	return filp->f_path.mnt->mnt_sb->s_user_ns;
+}

I'd probably rewrite this as:

static inline struct user_namespace *ima_user_ns_from_file(const struct file *filp)
{
	return file_inode(filp)->i_sb->s_user_ns;
}

as it spares you some pointer chasing and also looks cleaner.

Ok. This patch is being absorbed by all the functions currently using 
get_current_ns() and should access it via the file instead.

    Stefan