On Fri, Jan 15, 2021 at 07:43:34AM +1100, Dave Chinner wrote: > > That sounds neat. AFAICT, the VFS passes the filesystem a mount userns > > structure, which is then carried down the call stack to whatever > > functions actually care about mapping kernel [ug]ids to their ondisk > > versions? > > > > Does quota still work after this patchset is applied? There isn't any > > mention of that in the cover letter and I don't see a code patch, so > > does that mean everything just works? I'm particularly curious about > > whether there can exist processes with CAP_SYS_ADMIN and an idmapped > > mount? Syscalls like bulkstat and quotactl present file [ug]ids to > > programs, but afaict there won't be any translating going on? > > bulkstat is not allowed inside user namespaces. It's an init > namespace only thing because it provides unchecked/unbounded access > to all inodes in the filesystem, not just those contained within a > specific mount container. > > Hence I don't think bulkstat output (and other initns+root only > filesystem introspection APIs) should be subject to or concerned > about idmapping. That is what the capabilities are designed for and we already check for them.
