| Message ID | 20180622214359.17903-1-seth.forshee@canonical.com |
|---|---|
| Headers | show |
| Series | Backport namespaced fscap support to xenial | expand |
On 06/22/18 23:43, Seth Forshee wrote: > BugLink: http://bugs.launchpad.net/bugs/1778286 > > == SRU Justification == > > Impact: Support for using filesystem capabilities in unprivileged user > namespaces was added upstream in Linux 4.14. This is a useful feature > that allows unprivileged containers to set fscaps that are valid only in > user namespaces where a specific kuid is mapped to root. This allows for > e.g. support for Linux distros within lxd which make use of filesystem > capabilities. > > Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file > capabilities" and any subsequent fixes to xenial 4.4. > > Test Case: Test use of fscaps within a lxd container. > > Regression Potential: This has been upstream since 4.14 (and thus is > present in bionic), and the backport to xenial 4.4 was straightforward, > so regression potential is low. > > Thanks, > Seth > > > Colin Ian King (1): > commoncap: move assignment of fs_ns to avoid null pointer dereference > > Eric Biggers (1): > capabilities: fix buffer overread on very short xattr > > Serge E. Hallyn (1): > Introduce v3 namespaced file capabilities > > Tetsuo Handa (1): > commoncap: Handle memory allocation failure. > > fs/xattr.c | 6 + > include/linux/capability.h | 2 + > include/linux/security.h | 2 + > include/uapi/linux/capability.h | 22 ++- > security/commoncap.c | 270 +++++++++++++++++++++++++++++--- > 5 files changed, 280 insertions(+), 22 deletions(-) > > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
On 22.06.2018 23:43, Seth Forshee wrote: > BugLink: http://bugs.launchpad.net/bugs/1778286 > > == SRU Justification == > > Impact: Support for using filesystem capabilities in unprivileged user > namespaces was added upstream in Linux 4.14. This is a useful feature > that allows unprivileged containers to set fscaps that are valid only in > user namespaces where a specific kuid is mapped to root. This allows for > e.g. support for Linux distros within lxd which make use of filesystem > capabilities. > > Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file > capabilities" and any subsequent fixes to xenial 4.4. > > Test Case: Test use of fscaps within a lxd container. > > Regression Potential: This has been upstream since 4.14 (and thus is > present in bionic), and the backport to xenial 4.4 was straightforward, > so regression potential is low. > > Thanks, > Seth > > > Colin Ian King (1): > commoncap: move assignment of fs_ns to avoid null pointer dereference > > Eric Biggers (1): > capabilities: fix buffer overread on very short xattr > > Serge E. Hallyn (1): > Introduce v3 namespaced file capabilities > > Tetsuo Handa (1): > commoncap: Handle memory allocation failure. > > fs/xattr.c | 6 + > include/linux/capability.h | 2 + > include/linux/security.h | 2 + > include/uapi/linux/capability.h | 22 ++- > security/commoncap.c | 270 +++++++++++++++++++++++++++++--- > 5 files changed, 280 insertions(+), 22 deletions(-) > > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 06/22/18 23:43, Seth Forshee wrote: > BugLink: http://bugs.launchpad.net/bugs/1778286 > > == SRU Justification == > > Impact: Support for using filesystem capabilities in unprivileged user > namespaces was added upstream in Linux 4.14. This is a useful feature > that allows unprivileged containers to set fscaps that are valid only in > user namespaces where a specific kuid is mapped to root. This allows for > e.g. support for Linux distros within lxd which make use of filesystem > capabilities. > > Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file > capabilities" and any subsequent fixes to xenial 4.4. > > Test Case: Test use of fscaps within a lxd container. > > Regression Potential: This has been upstream since 4.14 (and thus is > present in bionic), and the backport to xenial 4.4 was straightforward, > so regression potential is low. > > Thanks, > Seth > > > Colin Ian King (1): > commoncap: move assignment of fs_ns to avoid null pointer dereference > > Eric Biggers (1): > capabilities: fix buffer overread on very short xattr > > Serge E. Hallyn (1): > Introduce v3 namespaced file capabilities > > Tetsuo Handa (1): > commoncap: Handle memory allocation failure. > > fs/xattr.c | 6 + > include/linux/capability.h | 2 + > include/linux/security.h | 2 + > include/uapi/linux/capability.h | 22 ++- > security/commoncap.c | 270 +++++++++++++++++++++++++++++--- > 5 files changed, 280 insertions(+), 22 deletions(-) > > Applied to xenial/master-next branch. Thanks, Kleber