On Thu, 21 Jan 2021, Christian Brauner wrote: > From: Tycho Andersen <tycho@tycho.pizza> > > When interacting with extended attributes the vfs verifies that the > caller is privileged over the inode with which the extended attribute is > associated. For posix access and posix default extended attributes a uid > or gid can be stored on-disk. Let the functions handle posix extended > attributes on idmapped mounts. If the inode is accessed through an > idmapped mount we need to map it according to the mount's user > namespace. Afterwards the checks are identical to non-idmapped mounts. > This has no effect for e.g. security xattrs since they don't store uids > or gids and don't perform permission checks on them like posix acls do. > > Link: https://lore.kernel.org/r/20210112220124.837960-17-christian.brauner@xxxxxxxxxx > Cc: Christoph Hellwig <hch@xxxxxx> > Cc: David Howells <dhowells@xxxxxxxxxx> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Cc: linux-fsdevel@xxxxxxxxxxxxxxx > Reviewed-by: Christoph Hellwig <hch@xxxxxx> > Signed-off-by: Tycho Andersen <tycho@tycho.pizza> > Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx> Reviewed-by: James Morris <jamorris@xxxxxxxxxxxxxxxxxxx> -- James Morris <jmorris@xxxxxxxxx> _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
