| Message ID | 20161026193138.GA135603@ubuntu-hedt |
|---|---|
| State | New |
| Headers | show |
On Wed, Oct 26, 2016 at 02:31:38PM -0500, Seth Forshee wrote: > BugLink: http://bugs.launchpad.net/bugs/1634964 > > In order for xenial to support snaps in lxd containers by default, fuse > mounts in user namespaces must also be enabled by default. These patches > harden the namespace mount support in xenial by updating it to match > yakkety, then they flip the fuse userns_mounts module parameter to be > enabled by default. Mostly this is done by reverting sauce patches in > xenial and replacing them with backports from yakkety or upstream. > > This is quite a bit of churn, however it brings us in line with what we > have in yakkety and closer to upstream (version 4.8 at least). > Although this is a huge amount of changes, they all seem to be already in yakkety. We also have testing results. Regression/verification testing will hopefully catch any issues with these backports. Cheers, -- Luís > Thanks, > Seth > > The following changes since commit ed40d9290a09cb0b998c300d0f52b6b408f8d490: > > UBUNTU: Ubuntu-4.4.0-46.67 (2016-10-20 08:10:00 -0500) > > are available in the git repository at: > > git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1634964 > > for you to fetch changes up to 742bfb82d4c7ed36b9e42624e1f134bb0d3884d7: > > UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default (2016-10-21 12:01:56 -0500) > > ---------------------------------------------------------------- > Eric W. Biederman (8): > (namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns > (namespace) vfs: Verify acls are valid within superblock's s_user_ns. > (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs > (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs > (namespace) quota: Ensure qids map to the filesystem > (namespace) quota: Handle quota data stored in s_user_ns in quota_setxquota > (namespace) dquot: For now explicitly don't support filesystems outside of init_user_ns > UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes > > Seth Forshee (13): > (namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns" > (namespace) fs: Refuse uid/gid changes which don't map into s_user_ns > (namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts" > UBUNTU: SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules > UBUNTU: SAUCE: (namespace) fuse: Translate ids in posix acl xattrs > (namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns" > (namespace) Revert "UBUNTU: SAUCE: quota: Convert ids relative to s_user_ns" > (namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs" > UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs > (namespace) Revert "UBUNTU: SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids" > (namespace) Revert "UBUNTU: SAUCE: fs: Don't remove suid for CAP_FSETID in s_user_ns" > UBUNTU: SAUCE: (namespace) fs: Don't remove suid for CAP_FSETID for userns root > UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default > > drivers/staging/lustre/lustre/mdc/mdc_request.c | 2 +- > fs/9p/acl.c | 2 +- > fs/attr.c | 51 +++++++++---------- > fs/fuse/dir.c | 30 +++++++++-- > fs/fuse/inode.c | 2 +- > fs/inode.c | 12 ++++- > fs/kernfs/inode.c | 2 - > fs/namei.c | 36 +++++++++++--- > fs/namespace.c | 4 -- > fs/ocfs2/quota_global.c | 6 +-- > fs/posix_acl.c | 61 ++++++++++------------- > fs/proc/base.c | 7 ++- > fs/proc/generic.c | 6 ++- > fs/proc/proc_sysctl.c | 7 ++- > fs/quota/dquot.c | 12 +++-- > fs/quota/quota.c | 10 ++-- > fs/quota/quota_tree.c | 66 +++++++++---------------- > fs/quota/quota_v1.c | 13 +---- > fs/quota/quota_v2.c | 43 ++++++---------- > fs/super.c | 4 ++ > fs/xattr.c | 26 +++++----- > include/linux/dqblk_qtree.h | 4 +- > include/linux/fs.h | 5 ++ > include/linux/posix_acl.h | 2 +- > include/linux/posix_acl_xattr.h | 24 ++++----- > include/linux/quota.h | 10 ++++ > security/integrity/digsig.c | 2 +- > security/integrity/evm/evm_main.c | 6 ++- > security/integrity/ima/ima_appraise.c | 4 +- > zfs/module/zfs/zpl_xattr.c | 4 +- > 30 files changed, 245 insertions(+), 218 deletions(-) > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Cheers, -- Luís
BugLink: http://bugs.launchpad.net/bugs/1634964 In order for xenial to support snaps in lxd containers by default, fuse mounts in user namespaces must also be enabled by default. These patches harden the namespace mount support in xenial by updating it to match yakkety, then they flip the fuse userns_mounts module parameter to be enabled by default. Mostly this is done by reverting sauce patches in xenial and replacing them with backports from yakkety or upstream. This is quite a bit of churn, however it brings us in line with what we have in yakkety and closer to upstream (version 4.8 at least). Thanks, Seth The following changes since commit ed40d9290a09cb0b998c300d0f52b6b408f8d490: UBUNTU: Ubuntu-4.4.0-46.67 (2016-10-20 08:10:00 -0500) are available in the git repository at: git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1634964 for you to fetch changes up to 742bfb82d4c7ed36b9e42624e1f134bb0d3884d7: UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default (2016-10-21 12:01:56 -0500) ---------------------------------------------------------------- Eric W. Biederman (8): (namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns (namespace) vfs: Verify acls are valid within superblock's s_user_ns. (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs (namespace) quota: Ensure qids map to the filesystem (namespace) quota: Handle quota data stored in s_user_ns in quota_setxquota (namespace) dquot: For now explicitly don't support filesystems outside of init_user_ns UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes Seth Forshee (13): (namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns" (namespace) fs: Refuse uid/gid changes which don't map into s_user_ns (namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts" UBUNTU: SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules UBUNTU: SAUCE: (namespace) fuse: Translate ids in posix acl xattrs (namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns" (namespace) Revert "UBUNTU: SAUCE: quota: Convert ids relative to s_user_ns" (namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs" UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs (namespace) Revert "UBUNTU: SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids" (namespace) Revert "UBUNTU: SAUCE: fs: Don't remove suid for CAP_FSETID in s_user_ns" UBUNTU: SAUCE: (namespace) fs: Don't remove suid for CAP_FSETID for userns root UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default drivers/staging/lustre/lustre/mdc/mdc_request.c | 2 +- fs/9p/acl.c | 2 +- fs/attr.c | 51 +++++++++---------- fs/fuse/dir.c | 30 +++++++++-- fs/fuse/inode.c | 2 +- fs/inode.c | 12 ++++- fs/kernfs/inode.c | 2 - fs/namei.c | 36 +++++++++++--- fs/namespace.c | 4 -- fs/ocfs2/quota_global.c | 6 +-- fs/posix_acl.c | 61 ++++++++++------------- fs/proc/base.c | 7 ++- fs/proc/generic.c | 6 ++- fs/proc/proc_sysctl.c | 7 ++- fs/quota/dquot.c | 12 +++-- fs/quota/quota.c | 10 ++-- fs/quota/quota_tree.c | 66 +++++++++---------------- fs/quota/quota_v1.c | 13 +---- fs/quota/quota_v2.c | 43 ++++++---------- fs/super.c | 4 ++ fs/xattr.c | 26 +++++----- include/linux/dqblk_qtree.h | 4 +- include/linux/fs.h | 5 ++ include/linux/posix_acl.h | 2 +- include/linux/posix_acl_xattr.h | 24 ++++----- include/linux/quota.h | 10 ++++ security/integrity/digsig.c | 2 +- security/integrity/evm/evm_main.c | 6 ++- security/integrity/ima/ima_appraise.c | 4 +- zfs/module/zfs/zpl_xattr.c | 4 +- 30 files changed, 245 insertions(+), 218 deletions(-)