On Sat, Dec 23, 2017 at 1:38 PM, Dongsu Park <don...@kinvolk.io> wrote: > Hi, > > On Sat, Dec 23, 2017 at 4:26 AM, Serge E. Hallyn <se...@hallyn.com> wrote: >> On Fri, Dec 22, 2017 at 03:32:28PM +0100, Dongsu Park wrote: >>> From: Seth Forshee <seth.fors...@canonical.com> >>> >>> Expand the check in should_remove_suid() to keep privileges for >> >> I realize this description came from Seth, but reading it now, >> 'Expand' seems wrong. Expanding a check brings to my mind making >> it stricter, not looser. How about 'Relax the check' ? > > Makes sense. Will do. > >>> CAP_FSETID in s_user_ns rather than init_user_ns. >>> >>> Patch v4 is available: https://patchwork.kernel.org/patch/8944621/ >>> >>> --EWB Changed from ns_capable(sb->s_user_ns, ) to capable_wrt_inode_uidgid >> >> Why exactly? >> >> This is wrong, because capable_wrt_inode_uidgid() does a check >> against current_user_ns, not the inode->i_sb->s_user_ns
I'm thoroughly confused. s_user_ns is supposed to be about the usernamespace the filesystem perceives to be in, right? How does that come into play when checking permissions to do something? Thanks, Miklos
