Re: [PATCH v6 04/40] capability: handle idmapped mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 21 Jan 2021, Christian Brauner wrote:

> In order to determine whether a caller holds privilege over a given
> inode the capability framework exposes the two helpers
> privileged_wrt_inode_uidgid() and capable_wrt_inode_uidgid(). The former
> verifies that the inode has a mapping in the caller's user namespace and
> the latter additionally verifies that the caller has the requested
> capability in their current user namespace.
> If the inode is accessed through an idmapped mount map it into the
> mount's user namespace. Afterwards the checks are identical to
> non-idmapped inodes. If the initial user namespace is passed all
> operations are a nop so non-idmapped mounts will not see a change in
> behavior.
> 
> Link: https://lore.kernel.org/r/20210112220124.837960-11-christian.brauner@xxxxxxxxxx
> Cc: Christoph Hellwig <hch@xxxxxx>
> Cc: David Howells <dhowells@xxxxxxxxxx>
> Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> Cc: linux-fsdevel@xxxxxxxxxxxxxxx
> Reviewed-by: Christoph Hellwig <hch@xxxxxx>
> Acked-by: Serge Hallyn <serge@xxxxxxxxxx>
> Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx>


Reviewed-by: James Morris <jamorris@xxxxxxxxxxxxxxxxxxx>


-- 
James Morris
<jmorris@xxxxxxxxx>




[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux