Hello,
when using user namespaces I found a bug in the capability checks done by ioctl.
If someone tries to use chattr +i while in a different user namespace it will get the following:
ioctl(3, EXT2_IOC_SETFLAGS, 0x7fffa4fedacc) = -1 EPERM (Operation not permitted)
I'm proposing a fix to this, by replacing the capable(CAP_LINUX_IMMUTABLE) check with
ns_capable(current_cred()->user_ns, CAP_LINUX_IMMUTABLE).
If you agree I can send patches for all filesystems.
I'm proposing the following patch:
---
fs/ext4/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index d011b69..25683d0 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -265,7 +265,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
* This test looks nicer. Thanks to Pauline Middelink
*/
if ((flags ^ oldflags) & (EXT4_APPEND_FL | EXT4_IMMUTABLE_FL)) {
- if (!capable(CAP_LINUX_IMMUTABLE))
+ if (!ns_capable(current_cred()->user_ns, CAP_LINUX_IMMUTABLE))
goto flags_out;
}
--
1.8.4
--
Marian Marinov
Founder & CEO of 1H Ltd.
Jabber/GTalk: hackman@xxxxxxxxxx
ICQ: 7556201
Mobile: +359 886 660 270
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
