Maxim Patlasov writes:
> Modern vfs_fallocate() checks flags for sanity. To avoid EOPNOTSUPP error,
> we have to list FALLOC_FL_CONVERT_AND_EXTEND among other valid flags. Also,
> to keep checks uniform, the patch also enforces exclusiveness of the flag.
Ack-by: dmonak...@openvz.org
>
> https://j
Maxim Patlasov writes:
> Since Oct 9 2014 (commit 671ddaaab74a8495a549fccae49eb4305c11e5d2), ploop has
> not used FALLOC_FL_KEEP_SIZE. This means that the part of
> fallocate(FALLOC_FL_CONVERT_AND_EXTEND) extending i_size is redundant now.
> Hence, we can use existing (and well tested) ext4_conve
Maxim Patlasov writes:
> The feature doesn't extend i_size anymore. Let's rename it properly:
>
> s/convert_and_extend/convert_unwritten
> s/CONVERT_AND_EXTEND/CONVERT_UNWRITTEN
>
> https://jira.sw.ru/browse/PSBM-22381
Ack-by: dmonak...@openvz.org
>
> Signed-off-by: Maxim Patlasov
> ---
> fs/ex
Imagine posible code path in sget_userns: we iterate in
type->fs_supers and do not find suitable sb, we drop sb_lock to
allocate s and go to retry. After we dropped sb_lock some other
task from different userns takes sb_lock, it is already in retry
stage and has s allocated, so it puts its s in typ
commit a6138db815df ("mnt: Only change user settable mount flags in remount")
Kenton Varda discovered that by remounting a
read-only bind mount read-only in a user namespace the
MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
to the remount a read-only mount read-write.
Co
commit a1480dcc3c70 ("fs: Add a missing permission check to do_umount")
Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
only one of the two call sites was appropriately protected.
Fixes CVE-2014-7975.
Signed-off-by: Andy Lutomirski
Signed-off-by: Pavel Tikhomirov
---
fs/names
A privileged user in s_user_ns will generally have the ability to
manipulate the backing store and insert security.* xattrs into
the filesystem directly. Therefore the kernel must be prepared to
handle these xattrs from unprivileged mounts, and it makes little
sense for commoncap to prevent writing
commit b5bd856a0c2a ("fs/super.c: fix WARN on alloc_super() fail path")
On fail path alloc_super() calls destroy_super(), which issues a warning
if the sb's s_mounts list is not empty, in particular if it has not been
initialized. That said s_mounts must be initialized in alloc_super()
before any
Expand the check in should_remove_suid() to keep privileges for
CAP_FSETID in s_user_ns rather than init_user_ns.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
Signed-off-by: Pavel Tikhomirov
---
fs/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/inode.c b
When looking up a block device by path no permission check is
done to verify that the user has access to the block device inode
at the specified path. In some cases it may be necessary to
check permissions towards the inode, such as allowing
unprivileged users to mount block devices in user namespa
We need it as secure way to provide privileged access to mounts
in containers. For instance setting suid bit, security.capability
xattr, allowing remount in CT.
Those patches are not all in MS now, but actually "[PATCH v4 0/7]
Initial support for user namespace owned mounts" patch series is
partia
commit 9566d6742852 ("mnt: Correct permission checks in do_remount")
While invesgiating the issue where in "mount --bind -oremount,ro ..."
would result in later "mount --bind -oremount,rw" succeeding even if
the mount started off locked I realized that there are several
additional mount flags that
Signed-off-by: Pavel Tikhomirov
---
security/commoncap.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index ca0c04ae..82f930c 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -445,8 +445,6 @@ static int get_file_caps(struct linux_
commit 07b645589dcd ("mnt: Move the test for MNT_LOCK_READONLY from
change_mount_flags into do_remount")
There are no races as locked mount flags are guaranteed to never change.
Moving the test into do_remount makes it more visible, and ensures all
filesystem remounts pass the MNT_LOCK_READONLY
changes: we do not have fs_fully_visible so skip its hunk
(we do not inherit flags so we do not need to cut them), also
skip hunk in do_remount.
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
for-testing
commit 4aceccd65a57 ("userns: Simpilify MNT_NODEV handling.")
- C
* these one is TEMPORARY and for testing only, as changing
userns of sb is not safe!
We need it as NOW ploop device for VZCT can be mounted long
before the container userns is created so we can't be satisfied
with just setting userns on sb creation, we need to change it later.
Show userns inum of
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
for-testing
commit a8c473e95079 ("fs: Limit file caps to the user namespace of the super
block")
Capability sets attached to files must be ignored except in the
user namespaces where the mounter is privileged, i.e. s_user_
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
for-testing
commit b2bc2ff70dca ("fs: Add user namesapace member to struct super_block")
Initially this will be used to eliminate the implicit MNT_NODEV
flag for mounts from user namespaces. In the future it will also
be us
Filesystem uids which don't map into a user namespace may result
in inode->i_uid being INVALID_UID. A symlink and its parent
could have different owners in the filesystem can both get
mapped to INVALID_UID, which may result in following a symlink
when this would not have otherwise been permitted wh
The mounter of a filesystem should be privileged towards the
inodes of that filesystem. Extend the checks in
inode_owner_or_capable() and capable_wrt_inode_uidgid() to
permit access by users priviliged in the user namespace of the
inode's superblock.
Signed-off-by: Seth Forshee
Acked-by: Serge Ha
change: move hunk for check_nnp_nosuid to selinux_bprm_set_creds
If a process gets access to a mount from a different user
namespace, that process should not be able to take advantage of
setuid files or selinux entrypoints from that filesystem. Prevent
this by treating mounts from other mount nam
Add checks to inode_change_ok to verify that uid and gid changes
will map into the superblock's user namespace. If they do not
fail with -EOVERFLOW. This cannot be overriden with ATTR_FORCE.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
Signed-off-by: Pavel Tikhomirov
---
fs/attr.c | 11 +
changes: we had ve_capable instead of capable in do_remount
Superblock level remounts are currently restricted to global
CAP_SYS_ADMIN, as is the path for changing the root mount to
read only on umount. Loosen both of these permission checks to
also allow CAP_SYS_ADMIN in any namespace which is pr
Using INVALID_[UG]ID for the LSM file creation context doesn't
make sense, so return an error if the inode passed to
set_create_file_as() has an invalid id.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
Signed-off-by: Pavel Tikhomirov
---
kernel/cred.c | 2 ++
1 file changed, 2 insertions
Unprivileged users should not be able to mount block devices when
they lack sufficient privileges towards the block device inode.
Update blkdev_get_by_path() to validate that the user has the
required access to the inode at the specified path. The check
will be skipped for CAP_SYS_ADMIN, so privile
All current callers of in_userns pass current_user_ns as the
first argument. Simplify by replacing in_userns with
current_in_userns which checks whether current_user_ns is in the
namespace supplied as an argument.
Signed-off-by: Seth Forshee
Acked-by: James Morris
Acked-by: Serge Hallyn
Signed-
26 matches
Mail list logo
