zfsonlinux/zfs-patches/0003-Use-user-namespaces-for-FSETID-policy-check.patch
2017-12-19 12:52:00 +01:00

68 lines
2.0 KiB
Diff

From e03f6d99c515ab83c3c6984cab00d6f0392e501f Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 31 Oct 2017 09:08:42 +0100
Subject: [PATCH 3/4] Use user namespaces for FSETID policy check.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With this we also need to verify the group id of a file with
the setgid flag has a valid mapping in the current
namespace.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
module/zfs/policy.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/module/zfs/policy.c b/module/zfs/policy.c
index 03e8f748b..dbbcfefa3 100644
--- a/module/zfs/policy.c
+++ b/module/zfs/policy.c
@@ -42,19 +42,26 @@
* all other cases this function must fail and return the passed err.
*/
static int
-priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
+priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
+ struct user_namespace *ns)
{
ASSERT3S(all, ==, B_FALSE);
if (cr != CRED() && (cr != kcred))
return (err);
- if (!capable(capability))
+ if (!(ns ? ns_capable(ns, capability) : capable(capability)))
return (err);
return (0);
}
+static int
+priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
+{
+ return priv_policy_ns(cr, capability, all, err, NULL);
+}
+
/*
* Checks for operations that are either client-only or are used by
* both clients and servers.
@@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
int
secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
{
+ if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
+ return (EPERM);
if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
- return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
+ return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM,
+ cr->user_ns));
return (0);
}
--
2.14.2