[PULL][Xenial SRU] Mount updates for snaps in lxd containers
Seth Forshee
seth.forshee at canonical.com
Wed Oct 26 19:31:38 UTC 2016
BugLink: http://bugs.launchpad.net/bugs/1634964
In order for xenial to support snaps in lxd containers by default, fuse
mounts in user namespaces must also be enabled by default. These patches
harden the namespace mount support in xenial by updating it to match
yakkety, then they flip the fuse userns_mounts module parameter to be
enabled by default. Mostly this is done by reverting sauce patches in
xenial and replacing them with backports from yakkety or upstream.
This is quite a bit of churn, however it brings us in line with what we
have in yakkety and closer to upstream (version 4.8 at least).
Thanks,
Seth
The following changes since commit ed40d9290a09cb0b998c300d0f52b6b408f8d490:
UBUNTU: Ubuntu-4.4.0-46.67 (2016-10-20 08:10:00 -0500)
are available in the git repository at:
git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1634964
for you to fetch changes up to 742bfb82d4c7ed36b9e42624e1f134bb0d3884d7:
UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default (2016-10-21 12:01:56 -0500)
----------------------------------------------------------------
Eric W. Biederman (8):
(namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns
(namespace) vfs: Verify acls are valid within superblock's s_user_ns.
(namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs
(namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs
(namespace) quota: Ensure qids map to the filesystem
(namespace) quota: Handle quota data stored in s_user_ns in quota_setxquota
(namespace) dquot: For now explicitly don't support filesystems outside of init_user_ns
UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes
Seth Forshee (13):
(namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns"
(namespace) fs: Refuse uid/gid changes which don't map into s_user_ns
(namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts"
UBUNTU: SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules
UBUNTU: SAUCE: (namespace) fuse: Translate ids in posix acl xattrs
(namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns"
(namespace) Revert "UBUNTU: SAUCE: quota: Convert ids relative to s_user_ns"
(namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs"
UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs
(namespace) Revert "UBUNTU: SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids"
(namespace) Revert "UBUNTU: SAUCE: fs: Don't remove suid for CAP_FSETID in s_user_ns"
UBUNTU: SAUCE: (namespace) fs: Don't remove suid for CAP_FSETID for userns root
UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default
drivers/staging/lustre/lustre/mdc/mdc_request.c | 2 +-
fs/9p/acl.c | 2 +-
fs/attr.c | 51 +++++++++----------
fs/fuse/dir.c | 30 +++++++++--
fs/fuse/inode.c | 2 +-
fs/inode.c | 12 ++++-
fs/kernfs/inode.c | 2 -
fs/namei.c | 36 +++++++++++---
fs/namespace.c | 4 --
fs/ocfs2/quota_global.c | 6 +--
fs/posix_acl.c | 61 ++++++++++-------------
fs/proc/base.c | 7 ++-
fs/proc/generic.c | 6 ++-
fs/proc/proc_sysctl.c | 7 ++-
fs/quota/dquot.c | 12 +++--
fs/quota/quota.c | 10 ++--
fs/quota/quota_tree.c | 66 +++++++++----------------
fs/quota/quota_v1.c | 13 +----
fs/quota/quota_v2.c | 43 ++++++----------
fs/super.c | 4 ++
fs/xattr.c | 26 +++++-----
include/linux/dqblk_qtree.h | 4 +-
include/linux/fs.h | 5 ++
include/linux/posix_acl.h | 2 +-
include/linux/posix_acl_xattr.h | 24 ++++-----
include/linux/quota.h | 10 ++++
security/integrity/digsig.c | 2 +-
security/integrity/evm/evm_main.c | 6 ++-
security/integrity/ima/ima_appraise.c | 4 +-
zfs/module/zfs/zpl_xattr.c | 4 +-
30 files changed, 245 insertions(+), 218 deletions(-)
More information about the kernel-team
mailing list