[PATCH v6 16/40] open: handle idmapped mounts

James Morris jmorris at namei.org
Fri Jan 22 04:14:30 UTC 2021

On Thu, 21 Jan 2021, Christian Brauner wrote:

> For core file operations such as changing directories or chrooting,
> determining file access, changing mode or ownership the vfs will verify
> that the caller is privileged over the inode. Extend the various helpers
> to handle idmapped mounts. If the inode is accessed through an idmapped
> mount map it into the mount's user namespace. Afterwards the permissions
> checks are identical to non-idmapped mounts. When changing file
> ownership we need to map the uid and gid from the mount's user
> namespace. If the initial user namespace is passed nothing changes so
> non-idmapped mounts will see identical behavior as before.
> Link: https://lore.kernel.org/r/20210112220124.837960-24-christian.brauner@ubuntu.com
> Cc: Christoph Hellwig <hch at lst.de>
> Cc: David Howells <dhowells at redhat.com>
> Cc: Al Viro <viro at zeniv.linux.org.uk>
> Cc: linux-fsdevel at vger.kernel.org
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

Reviewed-by: James Morris <jamorris at linux.microsoft.com>

James Morris
<jmorris at namei.org>

More information about the Linux-security-module-archive mailing list