[SRU][Xenial][PATCH 0/4] Backport namespaced fscap support to xenial
Seth Forshee
seth.forshee at canonical.com
Fri Jun 22 21:43:55 UTC 2018
BugLink: http://bugs.launchpad.net/bugs/1778286
== SRU Justification ==
Impact: Support for using filesystem capabilities in unprivileged user
namespaces was added upstream in Linux 4.14. This is a useful feature
that allows unprivileged containers to set fscaps that are valid only in
user namespaces where a specific kuid is mapped to root. This allows for
e.g. support for Linux distros within lxd which make use of filesystem
capabilities.
Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file
capabilities" and any subsequent fixes to xenial 4.4.
Test Case: Test use of fscaps within a lxd container.
Regression Potential: This has been upstream since 4.14 (and thus is
present in bionic), and the backport to xenial 4.4 was straightforward,
so regression potential is low.
Thanks,
Seth
Colin Ian King (1):
commoncap: move assignment of fs_ns to avoid null pointer dereference
Eric Biggers (1):
capabilities: fix buffer overread on very short xattr
Serge E. Hallyn (1):
Introduce v3 namespaced file capabilities
Tetsuo Handa (1):
commoncap: Handle memory allocation failure.
fs/xattr.c | 6 +
include/linux/capability.h | 2 +
include/linux/security.h | 2 +
include/uapi/linux/capability.h | 22 ++-
security/commoncap.c | 270 +++++++++++++++++++++++++++++---
5 files changed, 280 insertions(+), 22 deletions(-)
More information about the kernel-team
mailing list