From e03f6d99c515ab83c3c6984cab00d6f0392e501f Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 31 Oct 2017 09:08:42 +0100 Subject: [PATCH 3/3] Use user namespaces for FSETID policy check. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With this we also need to verify the group id of a file with the setgid flag has a valid mapping in the current namespace. Signed-off-by: Wolfgang Bumiller Signed-off-by: Fabian Grünbichler --- module/zfs/policy.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/module/zfs/policy.c b/module/zfs/policy.c index 03e8f748b..dbbcfefa3 100644 --- a/module/zfs/policy.c +++ b/module/zfs/policy.c @@ -42,19 +42,26 @@ * all other cases this function must fail and return the passed err. */ static int -priv_policy(const cred_t *cr, int capability, boolean_t all, int err) +priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err, + struct user_namespace *ns) { ASSERT3S(all, ==, B_FALSE); if (cr != CRED() && (cr != kcred)) return (err); - if (!capable(capability)) + if (!(ns ? ns_capable(ns, capability) : capable(capability))) return (err); return (0); } +static int +priv_policy(const cred_t *cr, int capability, boolean_t all, int err) +{ + return priv_policy_ns(cr, capability, all, err, NULL); +} + /* * Checks for operations that are either client-only or are used by * both clients and servers. @@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot) int secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid) { + if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid))) + return (EPERM); if (crgetfsgid(cr) != gid && !groupmember(gid, cr)) - return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM)); + return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM, + cr->user_ns)); return (0); } -- 2.14.2