On Thu, 21 Jan 2021, Christian Brauner wrote: > When executing a setuid binary the kernel will verify in bprm_fill_uid() > that the inode has a mapping in the caller's user namespace before > setting the callers uid and gid. Let bprm_fill_uid() handle idmapped > mounts. If the inode is accessed through an idmapped mount it is mapped > according to the mount's user namespace. Afterwards the checks are > identical to non-idmapped mounts. If the initial user namespace is > passed nothing changes so non-idmapped mounts will see identical > behavior as before. > > Link: https://lore.kernel.org/r/20210112220124.837960-32-christian.brauner@xxxxxxxxxx > Cc: Christoph Hellwig <hch@xxxxxx> > Cc: David Howells <dhowells@xxxxxxxxxx> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Cc: linux-fsdevel@xxxxxxxxxxxxxxx > Reviewed-by: Christoph Hellwig <hch@xxxxxx> > Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx> Reviewed-by: James Morris <jamorris@xxxxxxxxxxxxxxxxxxx> -- James Morris <jmorris@xxxxxxxxx>
