zfs-patches/0003-Use-user-namespaces-for-FSETID-policy-check.patch

   1 From e03f6d99c515ab83c3c6984cab00d6f0392e501f Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Tue, 31 Oct 2017 09:08:42 +0100
   4 Subject: [PATCH 3/3] Use user namespaces for FSETID policy check.
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 With this we also need to verify the group id of a file with
  10 the setgid flag has a valid mapping in the current
  11 namespace.
  12
  13 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  14 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  15 ---
  16  module/zfs/policy.c | 16 +++++++++++++---
  17  1 file changed, 13 insertions(+), 3 deletions(-)
  18
  19 diff --git a/module/zfs/policy.c b/module/zfs/policy.c
  20 index 03e8f748b..dbbcfefa3 100644
  21 --- a/module/zfs/policy.c
  22 +++ b/module/zfs/policy.c
  23 @@ -42,19 +42,26 @@
  24   * all other cases this function must fail and return the passed err.
  25   */
  26  static int
  27 -priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
  28 +priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
  29 +    struct user_namespace *ns)
  30  {
  31         ASSERT3S(all, ==, B_FALSE);
  32
  33         if (cr != CRED() && (cr != kcred))
  34                 return (err);
  35
  36 -       if (!capable(capability))
  37 +       if (!(ns ? ns_capable(ns, capability) : capable(capability)))
  38                 return (err);
  39
  40         return (0);
  41  }
  42
  43 +static int
  44 +priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
  45 +{
  46 +       return priv_policy_ns(cr, capability, all, err, NULL);
  47 +}
  48 +
  49  /*
  50   * Checks for operations that are either client-only or are used by
  51   * both clients and servers.
  52 @@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
  53  int
  54  secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
  55  {
  56 +       if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
  57 +               return (EPERM);
  58         if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
  59 -               return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
  60 +               return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM,
  61 +                   cr->user_ns));
  62
  63         return (0);
  64  }
  65 --
  66 2.14.2
  67