On Thu, May 20, 2021 at 11:37:07AM +0200, Christian Brauner wrote: > On Thu, May 20, 2021 at 10:56:57AM +0200, Roberto Sassu wrote: > > This patch introduces the new template fields mntuidmap and mntgidmap, > > which include respectively the UID and GID mappings of the idmapped mount, > > if the user namespace is not the initial one. > > > > These template fields, which should be included whenever the iuid and the > > igid fields are included, allow remote verifiers to find the original UID > > and GID of the inode during signature verification. The iuid and igid > > fields include the mapped UID and GID when the inode is in an idmapped > > mount. > > > > This solution has been preferred to providing always the original UID and > > GID, regardless of whether the inode is in an idmapped mount or not, as > > the mapped UID and GID are those seen by processes and matched with the IMA > > policy. > > Hm, looking at the code this doesn't seem like a good idea to me. I > think we should avoid that and just rely on the original uid and gid. It'd be ok to include the mapped uid/gid but don't copy the mapping itself.
