From patchwork Fri Jun 22 21:43:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 933616 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41CBsr5SrDz9s31; Sat, 23 Jun 2018 07:44:16 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1fWTqe-0004KP-QC; Fri, 22 Jun 2018 21:44:04 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1fWTqc-0004KE-Gz for kernel-team@lists.ubuntu.com; Fri, 22 Jun 2018 21:44:02 +0000 Received: from mail-it0-f69.google.com ([209.85.214.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fWTqc-000291-6y for kernel-team@lists.ubuntu.com; Fri, 22 Jun 2018 21:44:02 +0000 Received: by mail-it0-f69.google.com with SMTP id g125-v6so2841656ita.0 for ; Fri, 22 Jun 2018 14:44:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=EdvnO+lhWZ7XqbYRZgV5VyVFlcke/g++/rzvGBYkVKI=; b=Ngr4AYEgQb7lSNdBdOdJGLVVqpLcOfHlEUBCK00a9ksH4y+okj4LyldkqwVufoen3Y YAiPnEFM7zU9uHpx7UFidABZzujewNWk7gBZNHHP73MRSa1yogc7LA5D2/nd//5A3pRQ X4Naezw0R30HGnMFzlaqVfJDnq+2zSrYIA362nrcdbxQK1Vidp8PvWf7YgJ85o1OOu0j 3zVNQ9ZnDErFykLXRIo+2vurp0HxiPrGC5bU35nUv2ePZoIuEQCANXRXXKOuMbhHCwia fWwVSq2iP2YFY7mnlOx0OItZb0TE3U5KetNIDmLdypLTe3hiMLY+WskwMlCuxwFK7gEL q/LQ== X-Gm-Message-State: APt69E2Yj8gpGTt+agDCYoLF5FVUBAQ+xf8AOUlPJb28S3E8tjRiW5CU zw1C2IaKq+YbA6Cc+S4zzDkysD0ImFYwTm1X6fYtDxoBoqK7lYX2roBbrkZGGxn/mAdlIRy9e6O h4ZKNVUZ4FDYg9zvm+L7QHJvDK7EoeghDGyGWwWhYIg== X-Received: by 2002:a02:3f52:: with SMTP id c18-v6mr2796993jaf.91.1529703840971; Fri, 22 Jun 2018 14:44:00 -0700 (PDT) X-Google-Smtp-Source: ADUXVKInV0cCDPpY7gSXgqKz2s8WG/2Kfv3BBLkdEg5JeZJHMQP8oogOuGztilWO99/5odqzOxBIgg== X-Received: by 2002:a02:3f52:: with SMTP id c18-v6mr2796984jaf.91.1529703840725; Fri, 22 Jun 2018 14:44:00 -0700 (PDT) Received: from localhost ([2605:a601:ac7:2a20:110:4491:9f96:3555]) by smtp.gmail.com with ESMTPSA id b130-v6sm1601337itc.38.2018.06.22.14.43.59 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Jun 2018 14:44:00 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [SRU][Xenial][PATCH 0/4] Backport namespaced fscap support to xenial Date: Fri, 22 Jun 2018 16:43:55 -0500 Message-Id: <20180622214359.17903-1-seth.forshee@canonical.com> X-Mailer: git-send-email 2.17.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: http://bugs.launchpad.net/bugs/1778286 == SRU Justification == Impact: Support for using filesystem capabilities in unprivileged user namespaces was added upstream in Linux 4.14. This is a useful feature that allows unprivileged containers to set fscaps that are valid only in user namespaces where a specific kuid is mapped to root. This allows for e.g. support for Linux distros within lxd which make use of filesystem capabilities. Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file capabilities" and any subsequent fixes to xenial 4.4. Test Case: Test use of fscaps within a lxd container. Regression Potential: This has been upstream since 4.14 (and thus is present in bionic), and the backport to xenial 4.4 was straightforward, so regression potential is low. Thanks, Seth Colin Ian King (1): commoncap: move assignment of fs_ns to avoid null pointer dereference Eric Biggers (1): capabilities: fix buffer overread on very short xattr Serge E. Hallyn (1): Introduce v3 namespaced file capabilities Tetsuo Handa (1): commoncap: Handle memory allocation failure. fs/xattr.c | 6 + include/linux/capability.h | 2 + include/linux/security.h | 2 + include/uapi/linux/capability.h | 22 ++- security/commoncap.c | 270 +++++++++++++++++++++++++++++--- 5 files changed, 280 insertions(+), 22 deletions(-) Acked-by: Kleber Sacilotto de Souza Acked-by: Stefan Bader