[SRU][Xenial][PATCH 0/4] Backport namespaced fscap support to xenial

Seth Forshee seth.forshee at canonical.com
Fri Jun 22 21:43:55 UTC 2018


BugLink: http://bugs.launchpad.net/bugs/1778286

== SRU Justification ==

Impact: Support for using filesystem capabilities in unprivileged user
namespaces was added upstream in Linux 4.14. This is a useful feature
that allows unprivileged containers to set fscaps that are valid only in
user namespaces where a specific kuid is mapped to root. This allows for
e.g. support for Linux distros within lxd which make use of filesystem
capabilities.

Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file
capabilities" and any subsequent fixes to xenial 4.4.

Test Case: Test use of fscaps within a lxd container.

Regression Potential: This has been upstream since 4.14 (and thus is
present in bionic), and the backport to xenial 4.4 was straightforward,
so regression potential is low.

Thanks,
Seth


Colin Ian King (1):
  commoncap: move assignment of fs_ns to avoid null pointer dereference

Eric Biggers (1):
  capabilities: fix buffer overread on very short xattr

Serge E. Hallyn (1):
  Introduce v3 namespaced file capabilities

Tetsuo Handa (1):
  commoncap: Handle memory allocation failure.

 fs/xattr.c                      |   6 +
 include/linux/capability.h      |   2 +
 include/linux/security.h        |   2 +
 include/uapi/linux/capability.h |  22 ++-
 security/commoncap.c            | 270 +++++++++++++++++++++++++++++---
 5 files changed, 280 insertions(+), 22 deletions(-)





More information about the kernel-team mailing list