[PATCH 04/10] user namespaces: enforce usernamespaces for file permission

Eric W. Biederman ebiederm at xmission.com
Fri Aug 22 18:56:38 PDT 2008


"Serge E. Hallyn" <serue at us.ibm.com> writes:
>
> By itself that is not sufficient.  We need to support two inodes on the
> same fs where both have i_uid=500 on the host fs, while in user
> namespace X one is owned by uid 0, and another by uid 1000.
>
> So we need to be able to pass the filesystem an inode and a user
> namespace, and ask for the owning uid and gids.
>
> Or am I (I likely am) misunderstanding?

There are two questions.
Does this filesystem provide mappings to user namespace X?
What is the mapping from this filesystem to user namespace X?

I think we may be able to separate those two questions.

The important idea is that we don't need to implement filesystem changes
in the first pass.  Just have the permission check fail unconditionally
if we are not in the init_user_ns.

Eric


More information about the Containers mailing list