APPLIED: [SRU][Xenial][PATCH 0/4] Backport namespaced fscap support to xenial
Kleber Souza
kleber.souza at canonical.com
Tue Jul 31 13:05:23 UTC 2018
On 06/22/18 23:43, Seth Forshee wrote:
> BugLink: http://bugs.launchpad.net/bugs/1778286
>
> == SRU Justification ==
>
> Impact: Support for using filesystem capabilities in unprivileged user
> namespaces was added upstream in Linux 4.14. This is a useful feature
> that allows unprivileged containers to set fscaps that are valid only in
> user namespaces where a specific kuid is mapped to root. This allows for
> e.g. support for Linux distros within lxd which make use of filesystem
> capabilities.
>
> Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file
> capabilities" and any subsequent fixes to xenial 4.4.
>
> Test Case: Test use of fscaps within a lxd container.
>
> Regression Potential: This has been upstream since 4.14 (and thus is
> present in bionic), and the backport to xenial 4.4 was straightforward,
> so regression potential is low.
>
> Thanks,
> Seth
>
>
> Colin Ian King (1):
> commoncap: move assignment of fs_ns to avoid null pointer dereference
>
> Eric Biggers (1):
> capabilities: fix buffer overread on very short xattr
>
> Serge E. Hallyn (1):
> Introduce v3 namespaced file capabilities
>
> Tetsuo Handa (1):
> commoncap: Handle memory allocation failure.
>
> fs/xattr.c | 6 +
> include/linux/capability.h | 2 +
> include/linux/security.h | 2 +
> include/uapi/linux/capability.h | 22 ++-
> security/commoncap.c | 270 +++++++++++++++++++++++++++++---
> 5 files changed, 280 insertions(+), 22 deletions(-)
>
>
Applied to xenial/master-next branch.
Thanks,
Kleber
More information about the kernel-team
mailing list