On 12/1/21 17:19, James Bottomley wrote:
On Wed, 2021-12-01 at 17:09 -0500, Stefan Berger wrote:
On 12/1/21 17:01, James Bottomley wrote:
I don't see this because my setup for everything is triggered off
the first use of the IMA namespace. You'd need to have some type
of lazy setup of the inodes as well to give unshare time to install
the uid/gidmappings.
What could trigger that? A callback while mounting - but I am not
sure where to hook into then. What is your mechanisms to trigger as
the 'first use of the IMA namespace'? What is 'use' here?
use for me is first event that gets logged in the new namespace.
However, I don't think this is a good trigger, it's just a random thing
I was playing with. Perhaps trigger on mount is a good one ... that
could be done from securityfs_ns_init_fs_context?
Yes, this here does the trick now for late init also with runc. The late
uid adjustments are gone.
static int securityfs_ns_init_fs_context(struct fs_context *fc)
{
int rc;
if (fc->user_ns->ima_ns->late_fs_init) {
rc = fc->user_ns->ima_ns->late_fs_init(fc->user_ns);
if (rc)
return rc;
}
fc->ops = &securityfs_ns_context_ops;
return 0;
}
Stefan
James