ACK / APPLIED[Unstable]: [SRU][UNSTABLE/EOAN/FOCAL][PATCH] UBUNTU: SAUCE: shiftfs: let userns root destroy subvolumes from other users
Christian Brauner
christian.brauner at ubuntu.com
Tue Jun 2 11:27:11 UTC 2020
On Mon, Jun 01, 2020 at 04:20:42PM -0500, Seth Forshee wrote:
> On Wed, May 20, 2020 at 01:44:27PM +0200, Christian Brauner wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1879688
> >
> > Stéphane reported a bug found during NorthSec that makes heavy use of
> > shiftfs. When a subvolume or snapshot is created as userns root in the
> > container and then chowned to another user a delete as the root user
> > will fail. The reason for this is that we drop all capabilities as a
> > safety measure before calling btrfs ioctls. The only workable fix I
> > could think of is to retain the CAP_DAC_OVERRIDE capability for the
> > BTRFS_IOC_SNAP_DESTROY ioctl. All other solutions would be way more
> > invasive.
> >
> > Cc: Seth Forshee <seth.forshee at canonical.com>
> > Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
>
> This looks safe. We're using the creator creds, which will be ns-root
> for the shiftfs s_user_ns. So the DAC override capability is only valid
> in that namepsace, which must be current_user_ns at the time of the
> check, and inode being checked must be owned by a uid/gid mapped in the
> namespace. Since it's restricted to namespace root, the additional
> capabilities are limited to uids towards which the user is already
> privileged. From what I see of how this will impact the snapshot delete
> operation, this seems fine.
>
> It's ugly, but so is everything related to allowing these btrfs ioctls
> to be passed through shiftfs.
/me nods.
>
> Acked-by: Seth Forshee <seth.forshee at canonical.com>
>
> Applied to unstable/master, thanks!
Thanks!
Christian
More information about the kernel-team
mailing list