This is a note to let you know that I've just added the patch titled Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities") to the 5.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: revert-95ebabde382c-capabilities-don-t-allow-writing-ambiguous-v3-file-capabilities.patch and it can be found in the queue-5.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 3b0c2d3eaa83da259d7726192cf55a137769012f Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Date: Fri, 12 Mar 2021 15:07:09 -0600 Subject: Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities") From: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> commit 3b0c2d3eaa83da259d7726192cf55a137769012f upstream. It turns out that there are in fact userspace implementations that care and this recent change caused a regression. https://github.com/containers/buildah/issues/3071 As the motivation for the original change was future development, and the impact is existing real world code just revert this change and allow the ambiguity in v3 file caps. Cc: stable@xxxxxxxxxxxxxxx Fixes: 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities") Signed-off-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- security/commoncap.c | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) --- a/security/commoncap.c +++ b/security/commoncap.c @@ -500,8 +500,7 @@ int cap_convert_nscap(struct dentry *den __u32 magic, nsmagic; struct inode *inode = d_backing_inode(dentry); struct user_namespace *task_ns = current_user_ns(), - *fs_ns = inode->i_sb->s_user_ns, - *ancestor; + *fs_ns = inode->i_sb->s_user_ns; kuid_t rootid; size_t newsize; @@ -524,15 +523,6 @@ int cap_convert_nscap(struct dentry *den if (nsrootid == -1) return -EINVAL; - /* - * Do not allow allow adding a v3 filesystem capability xattr - * if the rootid field is ambiguous. - */ - for (ancestor = task_ns->parent; ancestor; ancestor = ancestor->parent) { - if (from_kuid(ancestor, rootid) == 0) - return -EINVAL; - } - newsize = sizeof(struct vfs_ns_cap_data); nscap = kmalloc(newsize, GFP_ATOMIC); if (!nscap) Patches currently in stable-queue which might be from ebiederm@xxxxxxxxxxxx are queue-5.11/revert-95ebabde382c-capabilities-don-t-allow-writing-ambiguous-v3-file-capabilities.patch queue-5.11/sysctl.c-fix-underflow-value-setting-risk-in-vm_tabl.patch