]> git.proxmox.com Git - mirror_zfs.git/commit
projects / mirror_zfs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c17922b) | patch
Take user namespaces into account in policy checks
authorWolfgang Bumiller <Blub@users.noreply.github.com>
Wed, 7 Mar 2018 23:40:42 +0000 (00:40 +0100)
committerTony Hutter <hutter2@llnl.gov>
Wed, 14 Mar 2018 23:10:38 +0000 (16:10 -0700)
commit3808006edfc46b18f0a40a2e9df54c6567bf52cc
tree605297a815eeec6c1c8519e97e7276a4ebd678c3tree
parentc17922b8a9db00ad7e7d59a5ff975b2a1edcf887commit | diff
Take user namespaces into account in policy checks

Change file related checks to use user namespaces and make
sure involved uids/gids are mappable in the current
namespace.

Note that checks without file ownership information will
still not take user namespaces into account, as some of
these should be handled via 'zfs allow' (otherwise root in a
user namespace could issue commands such as `zpool export`).

This also adds an initial user namespace regression test
for the setgid bit loss, with a user_ns_exec helper usable
in further tests.

Additionally, configure checks for the required user
namespace related features are added for:
  * ns_capable
  * kuid/kgid_has_mapping()
  * user_ns in cred_t

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Closes #6800
Closes #7270
17 files changed:
config/kernel-userns-capabilities.m4 [new file with mode: 0644] blob
config/kernel.m4 diff | blob | blame | history
configure.ac diff | blob | blame | history
module/zfs/policy.c diff | blob | blame | history
tests/runfiles/linux.run diff | blob | blame | history
tests/zfs-tests/cmd/Makefile.am diff | blob | blame | history
tests/zfs-tests/cmd/user_ns_exec/.gitignore [new file with mode: 0644] blob
tests/zfs-tests/cmd/user_ns_exec/Makefile.am [new file with mode: 0644] blob
tests/zfs-tests/cmd/user_ns_exec/user_ns_exec.c [new file with mode: 0644] blob
tests/zfs-tests/include/commands.cfg diff | blob | blame | history
tests/zfs-tests/tests/functional/Makefile.am diff | blob | blame | history
tests/zfs-tests/tests/functional/user_namespace/Makefile.am [new file with mode: 0644] blob
tests/zfs-tests/tests/functional/user_namespace/cleanup.ksh [new file with mode: 0755] blob
tests/zfs-tests/tests/functional/user_namespace/setup.ksh [new file with mode: 0755] blob
tests/zfs-tests/tests/functional/user_namespace/user_namespace.cfg [new file with mode: 0644] blob
tests/zfs-tests/tests/functional/user_namespace/user_namespace_001.ksh [new file with mode: 0755] blob
tests/zfs-tests/tests/functional/user_namespace/user_namespace_common.kshlib [new file with mode: 0644] blob
ZFS On Linux mirror for PVE