ACK[U/F]/cmnt: [SRU][UNSTABLE][PATCH] UBUNTU: SAUCE: shiftfs: record correct creator credentials

Kleber Souza kleber.souza at canonical.com
Thu Apr 23 13:12:01 UTC 2020 

On 10.04.20 16:55, Christian Brauner wrote:
> From: Christian Brauner <christian.brauner at ubuntu.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1872094
> 
> When shiftfs is nested we failed to be able to create any files or
> access directories because we recorded the wrong creator credentials. We
> need to record the credentials of the creator of the lowers mark mount
> of shiftfs. Otherwise we aren't privileged wrt to the shiftfs layer in
> the nesting case. This is similar to how we always record the user
> namespace of the base filesystem.
> 
> Suggested-by: Seth Forshee <seth.forshee at canonical.com>
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

For Focal as well:

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>


Should this be applied to Eoan? Eoan has shiftfs but it's not an LTS.

Thanks,
Kleber

> ---
>  fs/shiftfs.c | 17 +++++++++--------
>  1 file changed, 9 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/shiftfs.c b/fs/shiftfs.c
> index 3623d02b061e..5c39529d0a17 100644
> --- a/fs/shiftfs.c
> +++ b/fs/shiftfs.c
> @@ -2020,6 +2020,7 @@ static int shiftfs_fill_super(struct super_block *sb, void *raw_data,
>  			 * parent mark mountpoint.
>  			 */
>  			sbinfo->passthrough_mark = sbinfo_mp->passthrough_mark;
> +			sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred);
>  		} else {
>  			sbinfo->mnt = mntget(path.mnt);
>  			dentry = dget(path.dentry);
> @@ -2028,16 +2029,16 @@ static int shiftfs_fill_super(struct super_block *sb, void *raw_data,
>  			 * are identical.
>  			 */
>  			sbinfo->passthrough_mark = sbinfo->passthrough;
> -		}
>  
> -		cred_tmp = prepare_creds();
> -		if (!cred_tmp) {
> -			err = -ENOMEM;
> -			goto out_put_path;
> +			cred_tmp = prepare_creds();
> +			if (!cred_tmp) {
> +				err = -ENOMEM;
> +				goto out_put_path;
> +			}
> +			/* Don't override disk quota limits or use reserved space. */
> +			cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE);
> +			sbinfo->creator_cred = cred_tmp;
>  		}
> -		/* Don't override disk quota limits or use reserved space. */
> -		cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE);
> -		sbinfo->creator_cred = cred_tmp;
>  	} else {
>  		/*
>  		 * This leg executes if we're admin capable in the namespace,
> 
> base-commit: eb813ecd261d2c4c592bd4116aaa93f33c9ec4bd
>

More information about the kernel-team mailing list