On Thu, 21 Jan 2021, Christian Brauner wrote: > The may_follow_link(), may_linkat(), may_lookup(), may_open(), > may_o_create(), may_create_in_sticky(), may_delete(), and may_create() > helpers determine whether the caller is privileged enough to perform the > associated operations. Let them handle idmapped mounts by mapping the > inode or fsids according to the mount's user namespace. Afterwards the > checks are identical to non-idmapped inodes. The patch takes care to > retrieve the mount's user namespace right before performing permission > checks and passing it down into the fileystem so the user namespace > can't change in between by someone idmapping a mount that is currently > not idmapped. If the initial user namespace is passed nothing changes so > non-idmapped mounts will see identical behavior as before. > > Link: https://lore.kernel.org/r/20210112220124.837960-20-christian.brauner@xxxxxxxxxx > Cc: Christoph Hellwig <hch@xxxxxx> > Cc: David Howells <dhowells@xxxxxxxxxx> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Cc: linux-fsdevel@xxxxxxxxxxxxxxx > Reviewed-by: Christoph Hellwig <hch@xxxxxx> > Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx> Reviewed-by: James Morris <jamorris@xxxxxxxxxxxxxxxxxxx> -- James Morris <jmorris@xxxxxxxxx>
