Hi Sasha,
On Fri, Apr 16, 2021 at 05:04:04PM -0400, Sasha Levin wrote:
> On Fri, Apr 16, 2021 at 09:56:08PM +0200, Salvatore Bonaccorso wrote:
> > Hi Greg, hi Sasha
> >
> > Please consider to apply commit 7c03e2cda4a5 ("vfs: move
> > cap_convert_nscap() call into vfs_setxattr()") to stable series at
> > least back to 4.19.y. It applies to there (but have not tested older
> > series) and could test a build on top of 5.10.y with the commit.
> >
> > The commit was applied in 5.11-rc1 and from the commit message:
> >
> > vfs: move cap_convert_nscap() call into vfs_setxattr()
> >
> > cap_convert_nscap() does permission checking as well as conversion of the
> > xattr value conditionally based on fs's user-ns.
> >
> > This is needed by overlayfs and probably other layered fs (ecryptfs) and is
> > what vfs_foo() is supposed to do anyway.
> >
> > Additionally, in fact additionally for distribtuions kernels which do
> > allow unprivileged overlayfs mounts this as as well broader
> > consequences, as explained in
> > https://www.openwall.com/lists/oss-security/2021/04/16/1 .
>
> Is it needed without the rest of the patches in the series it was sent
> in
> (https://lore.kernel.org/linux-fsdevel/20201207163255.564116-1-mszeredi@xxxxxxxxxx/)?
This is a very valid question. In fact from the series already
89bdfaf93d91 ("ovl: make ioctl() safe") was backported as well to
5.10.y (in 5.10.4). My thinking was it would make sense to pick as
well the mentioned commit as it fixes as well a specific issue.
If though you and Greg think my request is not valid, then so it will
be. I in any case have Miklos, Steve and Thadeu here which might
further comment.
Thanks for your work, which is not easy to sort out what to apply and
what not, much appreciated. My intention here is not to cause you more
hassle, but cover the initial mentioned aspect for downstream
distributions.
Regards,
Salvatore
