Let uid 0 in a child namespace whose creator owns a file, access that file. This of course means that user hallyn (if he is allowed to remount / for his userns, i.e. through capset cap_sys_admin=ep usernsremount can create files owned by root. So this is only so we can play. This code will be removed in favor of code doing "the right thing" using extended attributes. Then, when the above user creates a file, the inode->iuid will be set to 500 (hallyn), and an xattr named fs.userns=(<nsid>,0) will store the fact that in the given nsid (might be 1 for instance) uid 0 owns the file. Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx> --- lib/fsuserns.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/lib/fsuserns.c b/lib/fsuserns.c index 0a9f52d..c237d1d 100644 --- a/lib/fsuserns.c +++ b/lib/fsuserns.c @@ -185,6 +185,15 @@ int fsuserns_convert_uid_gid(struct user_namespace *ns, struct inode *inode, convert: mutex_unlock(&fsuserns_table_mutex); + /* The following is BAD CODE. IT's for testing only */ + if (current->uid == 0) { + if (inode->i_uid == ns->creator->uid) { + *retuid = 0; + *retgid = 0; + return 1; + } + } + /* * ok now we would look through the xattrs for the * inode to find a stored uid in this namespace. -- 1.5.4.3 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers