From f07031b9ab45669b9c1e05b9bab5d2d1691db52b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Mon, 6 Nov 2017 09:04:37 +0100 Subject: [PATCH] add workaround for NS issue tracked upstream in #6800, full fix/user NS compatibility not yet available. https://github.com/zfsonlinux/zfs/issues/6800 --- ...remove-DKMS-modules-and-dracut-build.patch | 2 +- ...ith-d-dev-disk-by-id-in-scan-service.patch | 2 +- ...r-namespaces-for-FSETID-policy-check.patch | 66 +++++++++++++++++++ zfs-patches/series | 1 + 4 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 zfs-patches/0003-Use-user-namespaces-for-FSETID-policy-check.patch diff --git a/zfs-patches/0001-remove-DKMS-modules-and-dracut-build.patch b/zfs-patches/0001-remove-DKMS-modules-and-dracut-build.patch index 09d6f86..6d538c6 100644 --- a/zfs-patches/0001-remove-DKMS-modules-and-dracut-build.patch +++ b/zfs-patches/0001-remove-DKMS-modules-and-dracut-build.patch @@ -1,7 +1,7 @@ From 0337ccd47d411a1db11e09dce1a6d183c2542f29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Mon, 6 Feb 2017 11:03:10 +0100 -Subject: [PATCH 1/2] remove DKMS, modules and dracut build +Subject: [PATCH 1/3] remove DKMS, modules and dracut build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/zfs-patches/0002-import-with-d-dev-disk-by-id-in-scan-service.patch b/zfs-patches/0002-import-with-d-dev-disk-by-id-in-scan-service.patch index 93b33d8..c3fcfec 100644 --- a/zfs-patches/0002-import-with-d-dev-disk-by-id-in-scan-service.patch +++ b/zfs-patches/0002-import-with-d-dev-disk-by-id-in-scan-service.patch @@ -1,7 +1,7 @@ From 72fbbc64fe6f9e527e7ebce42d8e57c1fa82dd34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Mon, 24 Oct 2016 13:47:06 +0200 -Subject: [PATCH 2/2] import with -d /dev/disk/by-id in scan service +Subject: [PATCH 2/3] import with -d /dev/disk/by-id in scan service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/zfs-patches/0003-Use-user-namespaces-for-FSETID-policy-check.patch b/zfs-patches/0003-Use-user-namespaces-for-FSETID-policy-check.patch new file mode 100644 index 0000000..8ab627d --- /dev/null +++ b/zfs-patches/0003-Use-user-namespaces-for-FSETID-policy-check.patch @@ -0,0 +1,66 @@ +From f9171eb92ffd260debce2b28111dc7018d258588 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Tue, 31 Oct 2017 09:08:42 +0100 +Subject: [PATCH 3/3] Use user namespaces for FSETID policy check. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With this we also need to verify the group id of a file with +the setgid flag has a valid mapping in the current +namespace. + +Signed-off-by: Wolfgang Bumiller +--- + module/zfs/policy.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/module/zfs/policy.c b/module/zfs/policy.c +index 03e8f748b..dbbcfefa3 100644 +--- a/module/zfs/policy.c ++++ b/module/zfs/policy.c +@@ -42,19 +42,26 @@ + * all other cases this function must fail and return the passed err. + */ + static int +-priv_policy(const cred_t *cr, int capability, boolean_t all, int err) ++priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err, ++ struct user_namespace *ns) + { + ASSERT3S(all, ==, B_FALSE); + + if (cr != CRED() && (cr != kcred)) + return (err); + +- if (!capable(capability)) ++ if (!(ns ? ns_capable(ns, capability) : capable(capability))) + return (err); + + return (0); + } + ++static int ++priv_policy(const cred_t *cr, int capability, boolean_t all, int err) ++{ ++ return priv_policy_ns(cr, capability, all, err, NULL); ++} ++ + /* + * Checks for operations that are either client-only or are used by + * both clients and servers. +@@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot) + int + secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid) + { ++ if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid))) ++ return (EPERM); + if (crgetfsgid(cr) != gid && !groupmember(gid, cr)) +- return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM)); ++ return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM, ++ cr->user_ns)); + + return (0); + } +-- +2.14.2 + diff --git a/zfs-patches/series b/zfs-patches/series index 16efc00..edbef43 100644 --- a/zfs-patches/series +++ b/zfs-patches/series @@ -1,2 +1,3 @@ 0001-remove-DKMS-modules-and-dracut-build.patch 0002-import-with-d-dev-disk-by-id-in-scan-service.patch +0003-Use-user-namespaces-for-FSETID-policy-check.patch