[PATCH 07/34] capability: handle idmapped mounts
Christian Brauner
christian.brauner at ubuntu.com
Mon Nov 2 13:23:38 UTC 2020
On Sun, Nov 01, 2020 at 02:48:09PM +0000, Christoph Hellwig wrote:
> > /**
> > * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
> > * @inode: The inode in question
> > @@ -501,9 +513,7 @@ bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *
> > */
> > bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
> > {
> > + return capable_wrt_mapped_inode_uidgid(&init_user_ns, inode, cap);
> > }
> > EXPORT_SYMBOL(capable_wrt_inode_uidgid);
>
> Please avoid these silly wrappers and just switch all callers to pass
> the namespaces instead of creating boilerplate code. Same for the other
> functions where you do this even even worse the method calls.
Christoph,
Thanks for the review!
Ok, so I'll switch:
- all helpers to take an additional argument
(capable_wrt_inode_uidgid()/inode_permission()/vfs_*() etc.)
- all inode method calls to take an additional argument (I assume that's
what you're referring to: ->create()/->mknod()/->mkdir() etc.)
I've always assumed that this is what we'd be doing in the end anyway
(I've mentioned it in the commit message for the inode_operations
method's. This will be a bit of work but we can get that done!)
More information about the Linux-security-module-archive
mailing list