UBUNTU: SAUCE: (namespace) fuse: Restrict allow_other to the superblock's namespace...

Unprivileged users are normally restricted from mounting with the
allow_other option by system policy, but this could be bypassed
for a mount done with user namespace root permissions. In such
cases allow_other should not allow users outside the userns
to access the mount as doing so would give the unprivileged user
the ability to manipulate processes it would otherwise be unable
to manipulate. Restrict allow_other to apply to users in the same
userns used at mount or a descendant of that namespace. Also
export current_in_userns() for use by fuse when built as a
module.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index ca1fef1f4892d3ebb1d7d154e10ed22f4fd2f6d8..8c4d3a48d77d23c8e913d5f4e47412693b2493d7 100644 (file)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1034,7 +1034,7 @@ int fuse_allow_current_process(struct fuse_conn *fc)
        const struct cred *cred;
 
        if (fc->allow_other)
-               return 1;
+               return current_in_userns(fc->user_ns);
 
        cred = current_cred();
        if (uid_eq(cred->euid, fc->user_id) &&

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 9708927ffa18c01dba55a90b4ea2c67e7a4b36ae..4eacf186f5bc0aade02389521b5d6429e4dba03a 100644 (file)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -1004,6 +1004,7 @@ bool current_in_userns(const struct user_namespace *target_ns)
        }
        return false;
 }
+EXPORT_SYMBOL(current_in_userns);
 
 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
 {