BugLink: https://bugs.launchpad.net/bugs/1849483
Currently shiftfs allows to exceed project quota and reserved space on
e.g. ext2. See [1] and especially [2] for a bug report. This is very
much not what we want. Quotas and reserverd space settings set on the
host need to respected. The cause for this issue is overriding the
credentials with the superblock creator's credentials whenever we
perform operations such as fallocate() or writes while retaining
CAP_SYS_RESOURCE.
The fix is to drop CAP_SYS_RESOURCE from the effective capability set
after we have made a copy of the superblock creator's credential at
superblock creation time. This very likely gives us more security than
we had before and the regression potential seems limited. I would like
to try this apporach first before coming up with something potentially
more sophisticated. I don't see why CAP_SYS_RESOURCE should become a
limiting factor in most use-cases.
[1]: https://github.com/lxc/lxd/issues/6333
[2]: https://github.com/lxc/lxd/issues/6333#issuecomment-
545154838
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Connor Kuehl <connor.kuehl@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
sb->s_flags |= SB_POSIXACL;
if (sbinfo->mark) {
+ struct cred *cred_tmp;
struct super_block *lower_sb = path.mnt->mnt_sb;
/* to mark a mount point, must root wrt lower s_user_ns */
sbinfo->passthrough_mark = sbinfo->passthrough;
}
- sbinfo->creator_cred = prepare_creds();
- if (!sbinfo->creator_cred) {
+ cred_tmp = prepare_creds();
+ if (!cred_tmp) {
err = -ENOMEM;
goto out_put_path;
}
+ /* Don't override disk quota limits or use reserved space. */
+ cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE);
+ sbinfo->creator_cred = cred_tmp;
} else {
/*
* This leg executes if we're admin capable in the namespace,