[zfsonlinux.git] / zfs-patches / 0003-Use-user-namespaces-for-FSETID-policy-check.patch

From e03f6d99c515ab83c3c6984cab00d6f0392e501f Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 31 Oct 2017 09:08:42 +0100
Subject: [PATCH 3/3] Use user namespaces for FSETID policy check.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With this we also need to verify the group id of a file with
the setgid flag has a valid mapping in the current
namespace.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 module/zfs/policy.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/module/zfs/policy.c b/module/zfs/policy.c
index 03e8f748b..dbbcfefa3 100644
--- a/module/zfs/policy.c
+++ b/module/zfs/policy.c
@@ -42,19 +42,26 @@
  * all other cases this function must fail and return the passed err.
  */
 static int
-priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
+priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
+    struct user_namespace *ns)
 {
 	ASSERT3S(all, ==, B_FALSE);
 
 	if (cr != CRED() && (cr != kcred))
 		return (err);
 
-	if (!capable(capability))
+	if (!(ns ? ns_capable(ns, capability) : capable(capability)))
 		return (err);
 
 	return (0);
 }
 
+static int
+priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
+{
+	return priv_policy_ns(cr, capability, all, err, NULL);
+}
+
 /*
  * Checks for operations that are either client-only or are used by
  * both clients and servers.
@@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
 int
 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
 {
+	if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
+		return (EPERM);
 	if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
-		return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
+		return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM,
+		    cr->user_ns));
 
 	return (0);
 }
-- 
2.14.2
Commit	Line	Data
b9d59150	1	From e03f6d99c515ab83c3c6984cab00d6f0392e501f Mon Sep 17 00:00:00 2001
f07031b9 FG	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
	3	Date: Tue, 31 Oct 2017 09:08:42 +0100
	4	Subject: [PATCH 3/3] Use user namespaces for FSETID policy check.
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	With this we also need to verify the group id of a file with
	10	the setgid flag has a valid mapping in the current
	11	namespace.
	12
	13	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
b9d59150	14	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
f07031b9 FG	15	---
	16	module/zfs/policy.c \| 16 +++++++++++++---
	17	1 file changed, 13 insertions(+), 3 deletions(-)
	18
	19	diff --git a/module/zfs/policy.c b/module/zfs/policy.c
	20	index 03e8f748b..dbbcfefa3 100644
	21	--- a/module/zfs/policy.c
	22	+++ b/module/zfs/policy.c
	23	@@ -42,19 +42,26 @@
	24	* all other cases this function must fail and return the passed err.
	25	*/
	26	static int
	27	-priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
	28	+priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
	29	+ struct user_namespace *ns)
	30	{
	31	ASSERT3S(all, ==, B_FALSE);
	32
	33	if (cr != CRED() && (cr != kcred))
	34	return (err);
	35
	36	- if (!capable(capability))
	37	+ if (!(ns ? ns_capable(ns, capability) : capable(capability)))
	38	return (err);
	39
	40	return (0);
	41	}
	42
	43	+static int
	44	+priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
	45	+{
	46	+ return priv_policy_ns(cr, capability, all, err, NULL);
	47	+}
	48	+
	49	/*
	50	* Checks for operations that are either client-only or are used by
	51	* both clients and servers.
	52	@@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
	53	int
	54	secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
	55	{
	56	+ if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
	57	+ return (EPERM);
	58	if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
	59	- return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
	60	+ return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM,
	61	+ cr->user_ns));
	62
	63	return (0);
	64	}
	65	--
	66	2.14.2
	67