add workaround for NS issue

tracked upstream in #6800, full fix/user NS compatibility not yet
available.

https://github.com/zfsonlinux/zfs/issues/6800

zfs-patches/0001-remove-DKMS-modules-and-dracut-build.patch

@@ -1,7 +1,7 @@
 From 0337ccd47d411a1db11e09dce1a6d183c2542f29 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
 Date: Mon, 6 Feb 2017 11:03:10 +0100
-Subject: [PATCH 1/2] remove DKMS, modules and dracut build
+Subject: [PATCH 1/3] remove DKMS, modules and dracut build
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

zfs-patches/0002-import-with-d-dev-disk-by-id-in-scan-service.patch

@@ -1,7 +1,7 @@
 From 72fbbc64fe6f9e527e7ebce42d8e57c1fa82dd34 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
 Date: Mon, 24 Oct 2016 13:47:06 +0200
-Subject: [PATCH 2/2] import with -d /dev/disk/by-id in scan service
+Subject: [PATCH 2/3] import with -d /dev/disk/by-id in scan service
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

zfs-patches/0003-Use-user-namespaces-for-FSETID-policy-check.patch

@@ -0,0 +1,66 @@
+From f9171eb92ffd260debce2b28111dc7018d258588 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 31 Oct 2017 09:08:42 +0100
+Subject: [PATCH 3/3] Use user namespaces for FSETID policy check.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With this we also need to verify the group id of a file with
+the setgid flag has a valid mapping in the current
+namespace.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ module/zfs/policy.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/module/zfs/policy.c b/module/zfs/policy.c
+index 03e8f748b..dbbcfefa3 100644
+--- a/module/zfs/policy.c
++++ b/module/zfs/policy.c
+@@ -42,19 +42,26 @@
+  * all other cases this function must fail and return the passed err.
+  */
+ static int
+-priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
++priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
++    struct user_namespace *ns)
+ {
+ 	ASSERT3S(all, ==, B_FALSE);
+ 
+ 	if (cr != CRED() && (cr != kcred))
+ 		return (err);
+ 
+-	if (!capable(capability))
++	if (!(ns ? ns_capable(ns, capability) : capable(capability)))
+ 		return (err);
+ 
+ 	return (0);
+ }
+ 
++static int
++priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
++{
++	return priv_policy_ns(cr, capability, all, err, NULL);
++}
++
+ /*
+  * Checks for operations that are either client-only or are used by
+  * both clients and servers.
+@@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
+ int
+ secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
+ {
++	if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
++		return (EPERM);
+ 	if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
+-		return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
++		return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM,
++		    cr->user_ns));
+ 
+ 	return (0);
+ }
+-- 
+2.14.2
+

zfs-patches/series

@@ -1,2 +1,3 @@
 0001-remove-DKMS-modules-and-dracut-build.patch
 0002-import-with-d-dev-disk-by-id-in-scan-service.patch
+0003-Use-user-namespaces-for-FSETID-policy-check.patch