When determining whether or not to create a coredump the vfs will verify that the caller is privileged over the inode. Make the would_dump() helper handle idmapped mounts by passing down the mount's user namespace of the exec file. Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx> --- fs/exec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 8e75d7a33514..76de175eeba8 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1391,14 +1391,15 @@ EXPORT_SYMBOL(begin_new_exec); void would_dump(struct linux_binprm *bprm, struct file *file) { struct inode *inode = file_inode(file); - if (inode_permission(inode, MAY_READ) < 0) { + struct user_namespace *ns = mnt_user_ns(file->f_path.mnt); + if (mapped_inode_permission(ns, inode, MAY_READ) < 0) { struct user_namespace *old, *user_ns; bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; /* Ensure mm->user_ns contains the executable */ user_ns = old = bprm->mm->user_ns; while ((user_ns != &init_user_ns) && - !privileged_wrt_inode_uidgid(user_ns, &init_user_ns, inode)) + !privileged_wrt_inode_uidgid(user_ns, ns, inode)) user_ns = user_ns->parent; if (old != user_ns) { -- 2.29.0 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers