68 lines
2.0 KiB
Diff
68 lines
2.0 KiB
Diff
From e03f6d99c515ab83c3c6984cab00d6f0392e501f Mon Sep 17 00:00:00 2001
|
|
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
Date: Tue, 31 Oct 2017 09:08:42 +0100
|
|
Subject: [PATCH 3/4] Use user namespaces for FSETID policy check.
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
With this we also need to verify the group id of a file with
|
|
the setgid flag has a valid mapping in the current
|
|
namespace.
|
|
|
|
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
module/zfs/policy.c | 16 +++++++++++++---
|
|
1 file changed, 13 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/module/zfs/policy.c b/module/zfs/policy.c
|
|
index 03e8f748b..dbbcfefa3 100644
|
|
--- a/module/zfs/policy.c
|
|
+++ b/module/zfs/policy.c
|
|
@@ -42,19 +42,26 @@
|
|
* all other cases this function must fail and return the passed err.
|
|
*/
|
|
static int
|
|
-priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
|
|
+priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
|
|
+ struct user_namespace *ns)
|
|
{
|
|
ASSERT3S(all, ==, B_FALSE);
|
|
|
|
if (cr != CRED() && (cr != kcred))
|
|
return (err);
|
|
|
|
- if (!capable(capability))
|
|
+ if (!(ns ? ns_capable(ns, capability) : capable(capability)))
|
|
return (err);
|
|
|
|
return (0);
|
|
}
|
|
|
|
+static int
|
|
+priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
|
|
+{
|
|
+ return priv_policy_ns(cr, capability, all, err, NULL);
|
|
+}
|
|
+
|
|
/*
|
|
* Checks for operations that are either client-only or are used by
|
|
* both clients and servers.
|
|
@@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
|
|
int
|
|
secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
|
|
{
|
|
+ if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
|
|
+ return (EPERM);
|
|
if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
|
|
- return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
|
|
+ return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM,
|
|
+ cr->user_ns));
|
|
|
|
return (0);
|
|
}
|
|
--
|
|
2.14.2
|
|
|