On Fri, Apr 16, 2021 at 09:56:08PM +0200, Salvatore Bonaccorso wrote:
> Hi Greg, hi Sasha
>
> Please consider to apply commit 7c03e2cda4a5 ("vfs: move
> cap_convert_nscap() call into vfs_setxattr()") to stable series at
> least back to 4.19.y. It applies to there (but have not tested older
> series) and could test a build on top of 5.10.y with the commit.
>
> The commit was applied in 5.11-rc1 and from the commit message:
>
> vfs: move cap_convert_nscap() call into vfs_setxattr()
>
> cap_convert_nscap() does permission checking as well as conversion of the
> xattr value conditionally based on fs's user-ns.
>
> This is needed by overlayfs and probably other layered fs (ecryptfs) and is
> what vfs_foo() is supposed to do anyway.
Does this actually solve an in-kernel problem, or is only an issue for
out-of-tree filesystems?
> Additionally, in fact additionally for distribtuions kernels which do
> allow unprivileged overlayfs mounts this as as well broader
> consequences, as explained in
> https://www.openwall.com/lists/oss-security/2021/04/16/1 .
That's an out-of-tree issue from what I can tell, what in-kernel issue
does the above commit resolve? Or am I reading that report incorrectly?
thanks,
greg k-h
