1. namespace securityfs
This patch is thematically standalone and should move to the
beginning of the series.
I would strongly recommend to fold patch 9 and 10 into a single patch
and add a lengthy explanation. You should be able to recycle a lof of
stuff I wrote in earlier reviews.
2. Introduce struct ima_namespace and pass it through to all callers:
- introduce struct ima_namespace
- move all the relevant things into this structure (this also avoids
the "avoid_zero_size" hack).
- define, setup, and expose init_ima_ns
- introduce get_current_ns() and always have it return &init_ima_ns for now
- replace all accesses to global variables to go through &init_ima_ns
- add new infrastructure you'll need later on
Bonus is that you can extend all the functions that later need access
to a specific ima namespace to take a struct ima_namespace * argument
and pass down &init_ima_ns down (retrieved via get_current_ns()). This
will make the actual namespace patch very easy to follow.
3. namespace ima
- add a new entry for struct ima_namespace to struct user_namespace
- add creation helpers, kmem cache etc.
- create files in securityfs per ns
This way at all points in the series we have clearly defined semanticsAtomic over multiple patches? So introducing CONFIG_IMA_NS that doesn't do anything for several patches is still considered 'atomic' then ?
where ima namespacing is either fully working or fully not working and
the switch is atomic in the patch(es) part of 3.