Quoting Theodore Ts'o (tytso@xxxxxxx):
> On Tue, Apr 29, 2014 at 04:49:14PM +0300, Marian Marinov wrote:
> >
> > I'm proposing a fix to this, by replacing the capable(CAP_LINUX_IMMUTABLE)
> > check with ns_capable(current_cred()->user_ns, CAP_LINUX_IMMUTABLE).
>
> Um, wouldn't it be better to simply fix the capable() function?
>
> /**
> * capable - Determine if the current task has a superior capability in effect
> * @cap: The capability to be tested for
> *
> * Return true if the current task has the given superior capability currently
> * available for use, false if not.
> *
> * This sets PF_SUPERPRIV on the task if the capability is available on the
> * assumption that it's about to be used.
> */
> bool capable(int cap)
> {
> return ns_capable(&init_user_ns, cap);
> }
> EXPORT_SYMBOL(capable);
>
> The documentation states that it is for "the current task", and I
> can't imagine any use case, where user namespaces are in effect, where
> using init_user_ns would ever make sense.
the init_user_ns represents the user_ns owning the object, not the
subject.
The patch by Marian is wrong. Anyone can do 'clone(CLONE_NEWUSER)',
setuid(0), execve, and end up satisfying 'ns_capable(current_cred()->userns,
CAP_SYS_IMMUTABLE)' by definition.
So NACK to that particular patch. I'm not sure, but IIUC it should be
safe to check against the userns owning the inode?
> No? Otherwise, pretty much every single use of capable() would be
> broken, not just this once instances in ext4/ioctl.c.
>
> - Ted
> _______________________________________________
> Containers mailing list
> Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linuxfoundation.org/mailman/listinfo/containers
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
