ACK: [PATCH][SRU][DISCO][EOAN] UBUNTU: SAUCE: shiftfs: drop CAP_SYS_RESOURCE from effective capabilities

Stefan Bader stefan.bader at canonical.com
Thu Nov 7 16:28:26 UTC 2019 

On 23.10.19 14:23, Christian Brauner wrote:
> BugLink: https://bugs.launchpad.net/bugs/1849483
> 
> Currently shiftfs allows to exceed project quota and reserved space on
> e.g. ext2. See [1] and especially [2] for a bug report. This is very
> much not what we want. Quotas and reserverd space settings set on the
> host need to respected. The cause for this issue is overriding the
> credentials with the superblock creator's credentials whenever we
> perform operations such as fallocate() or writes while retaining
> CAP_SYS_RESOURCE.
> 
> The fix is to drop CAP_SYS_RESOURCE from the effective capability set
> after we have made a copy of the superblock creator's credential at
> superblock creation time. This very likely gives us more security than
> we had before and the regression potential seems limited. I would like
> to try this apporach first before coming up with something potentially
> more sophisticated. I don't see why CAP_SYS_RESOURCE should become a
> limiting factor in most use-cases.
> 
> [1]: https://github.com/lxc/lxd/issues/6333
> [2]: https://github.com/lxc/lxd/issues/6333#issuecomment-545154838
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  fs/shiftfs.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/shiftfs.c b/fs/shiftfs.c
> index ac22a5bf5b1f..890c01c7af25 100644
> --- a/fs/shiftfs.c
> +++ b/fs/shiftfs.c
> @@ -1951,6 +1951,7 @@ static int shiftfs_fill_super(struct super_block *sb, void *raw_data,
>  	sb->s_flags |= SB_POSIXACL;
>  
>  	if (sbinfo->mark) {
> +		struct cred *cred_tmp;
>  		struct super_block *lower_sb = path.mnt->mnt_sb;
>  
>  		/* to mark a mount point, must root wrt lower s_user_ns */
> @@ -2005,11 +2006,14 @@ static int shiftfs_fill_super(struct super_block *sb, void *raw_data,
>  			sbinfo->passthrough_mark = sbinfo->passthrough;
>  		}
>  
> -		sbinfo->creator_cred = prepare_creds();
> -		if (!sbinfo->creator_cred) {
> +		cred_tmp = prepare_creds();
> +		if (!cred_tmp) {
>  			err = -ENOMEM;
>  			goto out_put_path;
>  		}
> +		/* Don't override disk quota limits or use reserved space. */
> +		cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE);
> +		sbinfo->creator_cred = cred_tmp;
>  	} else {
>  		/*
>  		 * This leg executes if we're admin capable in the namespace,
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20191107/3712480c/attachment.sig>

More information about the kernel-team mailing list