> From: Christian Brauner [mailto:christian.brauner@xxxxxxxxxx] > Sent: Thursday, May 20, 2021 11:41 AM > On Thu, May 20, 2021 at 11:37:07AM +0200, Christian Brauner wrote: > > On Thu, May 20, 2021 at 10:56:57AM +0200, Roberto Sassu wrote: > > > This patch introduces the new template fields mntuidmap and mntgidmap, > > > which include respectively the UID and GID mappings of the idmapped > mount, > > > if the user namespace is not the initial one. > > > > > > These template fields, which should be included whenever the iuid and the > > > igid fields are included, allow remote verifiers to find the original UID > > > and GID of the inode during signature verification. The iuid and igid > > > fields include the mapped UID and GID when the inode is in an idmapped > > > mount. > > > > > > This solution has been preferred to providing always the original UID and > > > GID, regardless of whether the inode is in an idmapped mount or not, as > > > the mapped UID and GID are those seen by processes and matched with > the IMA > > > policy. > > > > Hm, looking at the code this doesn't seem like a good idea to me. I > > think we should avoid that and just rely on the original uid and gid. > > It'd be ok to include the mapped uid/gid but don't copy the mapping > itself. Uhm, we would need a way to obtain the original UID and GID to verify the portable signature. Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli
