On Wed, Jan 26, 2022 at 03:43:26PM +0100, Christian Brauner wrote: > On Tue, Jan 25, 2022 at 05:46:44PM -0500, Stefan Berger wrote: > > From: Stefan Berger <stefanb@xxxxxxxxxxxxx> > > > > Show the uid and gid values relative to the user namespace that is > > currently active. The effect of this changes is that when one displays > > the policy from the user namespace that originally set the policy, > > the same uid and gid values are shown in the policy as those that were > > used when the policy was set. > > "Make sure that the uid and gid values associated with the relevant > ima policy are resolved in the user namespace of the opener of the > policy file." > > is more correct. Also note, that by virtue of enforcing that securityfs > files can only ever be opened if the opener's userns is the same or an > ancestor of the userns the securityfs instance is mounted in we are > guaranteed that the uid and gid can be resolved. That's another way of > saying technically *_munged() isn't necessary but it is more correct > since we're crossing the user-kernel boundary. > > > > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > > > > --- Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
