[PATCH 3.8 076/116] xfs: ioctl check for capabilities in the current user namespace
Dave Chinner
david at fromorbit.com
Tue Jul 22 23:12:57 UTC 2014
On Tue, Jul 22, 2014 at 03:21:27PM -0700, Kamal Mostafa wrote:
> 3.8.13.27 -stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Dwight Engen <dwight.engen at oracle.com>
>
> commit fd5e2aa8653665ae1cc60f7aca1069abdbcad3f6 upstream.
>
> Use inode_capable() to check if SUID|SGID bits should be cleared to match
> similar check in inode_change_ok().
>
> The check for CAP_LINUX_IMMUTABLE was not modified since all other file
> systems also check against init_user_ns rather than current_user_ns.
>
> Only allow changing of projid from init_user_ns.
>
> Reviewed-by: Dave Chinner <dchinner at redhat.com>
> Reviewed-by: Gao feng <gaofeng at cn.fujitsu.com>
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> Signed-off-by: Ben Myers <bpm at sgi.com>
> [ kamal: 3.8-stable prereq for
> 23adbe1 fs,userns: Change inode_capable to capable_wrt_inode_uidgid ]
> Signed-off-by: Kamal Mostafa <kamal at canonical.com>
> ---
> fs/xfs/xfs_ioctl.c | 11 +++++++++--
> kernel/capability.c | 1 +
> 2 files changed, 10 insertions(+), 2 deletions(-)
Why are you backporting this to 3.8? namespace support didn't come
along until much later, so grabbing one patch out of themiddle of a
patch series to allow userns support in XFS is likely to cause
problems because there's no supporting code in XFS it.
Please don't randomly cherry pick userns support patches that change
permission checks back into kernels that don't have userns support.
Cheers,
Dave.
--
Dave Chinner
david at fromorbit.com
More information about the kernel-team
mailing list