Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

user namespace bugfixes and features #6865

Closed
wants to merge 8 commits into from
Closed

user namespace bugfixes and features #6865

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5a3a6e8
Take user namespaces into account in policy checks
Blub Oct 31, 2017
d945593
Add user_ns_exec helper for the test suite
Blub Nov 3, 2017
93d641c
Add regression test for user namespaces.
Blub Nov 3, 2017
35accc8
Support mounting from user namespaces
Blub Nov 6, 2017
c0781ed
Support numeric ids in zfs allow
Blub Nov 6, 2017
f8e6711
Add tests for mounting in user namespaces
Blub Nov 14, 2017
6644317
User namespace support for ZFS_IOC_GET/SET_FSACL
Blub Nov 7, 2017
c82eda6
Honor user namespace privileges with zfs unallow
Blub Nov 7, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 35 additions & 8 deletions module/zfs/policy.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,19 +42,32 @@
* all other cases this function must fail and return the passed err.
*/
static int
priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
struct user_namespace *ns)
{
ASSERT3S(all, ==, B_FALSE);

if (cr != CRED() && (cr != kcred))
return (err);

if (!capable(capability))
if (!(ns ? ns_capable(ns, capability) : capable(capability)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's going to need to be some compatibility code added for older kernels which don't have ns_capable or a cr->user_ns. In which case this functionally needs to be automatically disabled.

http://build.zfsonlinux.org/builders/CentOS%206%20x86_64%20%28BUILD%29/builds/1581/steps/shell_3/logs/make

return (err);

return (0);
}

static int
priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
{
return (priv_policy_ns(cr, capability, all, err, NULL));
}

static int
priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
{
return (priv_policy_ns(cr, capability, all, err, cr->user_ns));
}

/*
* Checks for operations that are either client-only or are used by
* both clients and servers.
Expand Down Expand Up @@ -102,10 +115,13 @@ secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
if (zpl_inode_owner_or_capable(ip))
return (0);

if (priv_policy(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);

if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
return (0);

if (priv_policy(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
return (0);

return (EPERM);
Expand All @@ -120,7 +136,10 @@ secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
if (crgetfsuid(cr) == owner)
return (0);

return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);

return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
Expand Down Expand Up @@ -152,7 +171,10 @@ secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
if (crgetfsuid(cr) == owner)
return (0);

return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);

return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
}

/*
Expand All @@ -175,8 +197,10 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
int
secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
{
if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
return (EPERM);
if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));

return (0);
}
Expand Down Expand Up @@ -222,7 +246,10 @@ secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
if (crgetfsuid(cr) == owner)
return (0);

return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);

return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
}

/*
Expand Down