[PATCH review 0/11] General unprivileged mount support
Jan Kara
jack at suse.cz
Mon Jul 4 08:52:20 UTC 2016
On Sat 02-07-16 12:18:08, Eric W. Biederman wrote:
>
> As well as in these patches the code is also available from:
> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing
>
> It has been a long time in coming but recently in the userns tree the
> superblock has been expanded with a s_user_ns field indicating the user
> namespace that owns a superblock.
>
> The s_user_ns owner of a superblock has three implications.
> - Only kuids and kgids that map into s_user_ns are allowed to be sent to a
> filesystem from the vfs.
> - If the uid or gid on the filesystem does not map into s_user_ns i_uid
> is set to INVALID_UID and i_gid is set to INVALID_GID.
> - The scope of permission checks can be changed from global to a
> capabilitiy check in s_user_ns.
OK, to check that I understand it right:
So the uids and gids that are stored on disk are still expected to be in
the initial id namespace, aren't they?
Honza
--
Jan Kara <jack at suse.com>
SUSE Labs, CR
More information about the Containers
mailing list