This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1872094 Title: shiftfs: broken shiftfs nesting Status in linux package in Ubuntu: In Progress Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Bug description: SRU Justification Impact: When nested containers use shiftfs and they have different id mappings the nested container lacks privileges to create any files in its root filesystem unless the directory in question is very permissive. This prevents nested containers from being usable. Here is a reproducer as given by Stéphane: Reproducer: - lxc init images:ubuntu/bionic b1 -c security.nesting=true - Confirm b1 uses shiftfs and uses the default map root@b1:~# cat /proc/self/uid_map 0 1000000 1000000000 root@b1:~# grep shiftfs /proc/self/mountinfo 3702 2266 0:92 / / rw,relatime - shiftfs /var/lib/lxd/storage-pools/default/containers/b1/rootfs rw,passthrough=3 - Install LXD snap in there - snap set lxd shiftfs.enable=true - systemctl reload snap.lxd.daemon - lxd init --auto - lxc launch images:alpine/edge a1 - Confirm that a1 uses a different map than b1 - Confirm that a1 uses shiftfs - touch /etc/a should fail with EACCES Fix: Instead of recording the credentials of the process that created the innermost shiftfs mount we need to record the credentials of the lowers creator of the first shiftfs mark mount since we always refer back to the lowers mount to get around vfs layering restrictions. Regression Potential: Limited to shiftfs. Test Case: Built a kernel with the mentioned fix and ran the reproducer. The issue was not reproducible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1872094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
