]>
Commit | Line | Data |
---|---|---|
b9d59150 | 1 | From e03f6d99c515ab83c3c6984cab00d6f0392e501f Mon Sep 17 00:00:00 2001 |
f07031b9 FG |
2 | From: Wolfgang Bumiller <w.bumiller@proxmox.com> |
3 | Date: Tue, 31 Oct 2017 09:08:42 +0100 | |
4 | Subject: [PATCH 3/3] Use user namespaces for FSETID policy check. | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | With this we also need to verify the group id of a file with | |
10 | the setgid flag has a valid mapping in the current | |
11 | namespace. | |
12 | ||
13 | Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> | |
b9d59150 | 14 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> |
f07031b9 FG |
15 | --- |
16 | module/zfs/policy.c | 16 +++++++++++++--- | |
17 | 1 file changed, 13 insertions(+), 3 deletions(-) | |
18 | ||
19 | diff --git a/module/zfs/policy.c b/module/zfs/policy.c | |
20 | index 03e8f748b..dbbcfefa3 100644 | |
21 | --- a/module/zfs/policy.c | |
22 | +++ b/module/zfs/policy.c | |
23 | @@ -42,19 +42,26 @@ | |
24 | * all other cases this function must fail and return the passed err. | |
25 | */ | |
26 | static int | |
27 | -priv_policy(const cred_t *cr, int capability, boolean_t all, int err) | |
28 | +priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err, | |
29 | + struct user_namespace *ns) | |
30 | { | |
31 | ASSERT3S(all, ==, B_FALSE); | |
32 | ||
33 | if (cr != CRED() && (cr != kcred)) | |
34 | return (err); | |
35 | ||
36 | - if (!capable(capability)) | |
37 | + if (!(ns ? ns_capable(ns, capability) : capable(capability))) | |
38 | return (err); | |
39 | ||
40 | return (0); | |
41 | } | |
42 | ||
43 | +static int | |
44 | +priv_policy(const cred_t *cr, int capability, boolean_t all, int err) | |
45 | +{ | |
46 | + return priv_policy_ns(cr, capability, all, err, NULL); | |
47 | +} | |
48 | + | |
49 | /* | |
50 | * Checks for operations that are either client-only or are used by | |
51 | * both clients and servers. | |
52 | @@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot) | |
53 | int | |
54 | secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid) | |
55 | { | |
56 | + if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid))) | |
57 | + return (EPERM); | |
58 | if (crgetfsgid(cr) != gid && !groupmember(gid, cr)) | |
59 | - return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM)); | |
60 | + return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM, | |
61 | + cr->user_ns)); | |
62 | ||
63 | return (0); | |
64 | } | |
65 | -- | |
66 | 2.14.2 | |
67 |