[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
This bug was fixed in the package linux - 5.4.0-42.46 --- linux (5.4.0-42.46) focal; urgency=medium * focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069) * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668) - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups" linux (5.4.0-41.45) focal; urgency=medium * focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855) * Packaging resync (LP: #1786013) - update dkms package versions * CVE-2019-19642 - kernel/relay.c: handle alloc_percpu returning NULL in relay_open * CVE-2019-16089 - SAUCE: nbd_genl_status: null check for nla_nest_start * CVE-2020-11935 - aufs: do not call i_readcount_inc() * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4 kernel (LP: #1826848) - selftests: net: ip_defrag: ignore EPERM * Update lockdown patches (LP: #1884159) - SAUCE: acpi: disallow loading configfs acpi tables when locked down * seccomp_bpf fails on powerpc (LP: #1885757) - SAUCE: selftests/seccomp: fix ptrace tests on powerpc * Introduce the new NVIDIA 418-server and 440-server series, and update the current NVIDIA drivers (LP: #1881137) - [packaging] add signed modules for the 418-server and the 440-server flavours -- Khalid Elmously Thu, 09 Jul 2020 19:50:26 -0400 ** Changed in: linux (Ubuntu Groovy) Status: Confirmed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16089 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19642 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11935 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Fix Released Status in linux source package in Eoan: Fix Released Status in linux source package in Focal: Fix Released Status in linux source package in Groovy: Fix Released Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
This bug was fixed in the package linux - 5.4.0-40.44 --- linux (5.4.0-40.44) focal; urgency=medium * linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120) - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and -tools-host * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691) - e1000e: Disable TSO for buffer overrun workaround * CVE-2020-0543 - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when not supported * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147) - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before association for 11N chip" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being connected" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support" - rtw88: add a debugfs entry to dump coex's info - rtw88: add a debugfs entry to enable/disable coex mechanism - rtw88: 8723d: Add coex support - SAUCE: rtw88: coex: 8723d: set antanna control owner - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier * CPU stress test fails with focal kernel (LP: #1867900) - [Config] Disable hisi_sec2 temporarily * Enforce all config annotations (LP: #1879327) - [Config]: do not enforce CONFIG_VERSION_SIGNATURE - [Config]: prepare to enforce all - [Config]: enforce all config options * Focal update: v5.4.44 upstream stable release (LP: #1881927) - ax25: fix setsockopt(SO_BINDTODEVICE) - dpaa_eth: fix usage as DSA master, try 3 - net: don't return invalid table id error when we fall back to PF_UNSPEC - net: dsa: mt7530: fix roaming from DSA user ports - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend - __netif_receive_skb_core: pass skb by reference - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* - net: ipip: fix wrong address family in init error path - net/mlx5: Add command entry handling completion - net: mvpp2: fix RX hashing for non-10G ports - net: nlmsg_cancel() if put fails for nhmsg - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() - net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" - net sched: fix reporting the first-time use timestamp - net/tls: fix race condition causing kernel panic - nexthop: Fix attribute checking for groups - r8152: support additional Microsoft Surface Ethernet Adapter variant - sctp: Don't add the shutdown timer if its already been added - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed - tipc: block BH before using dst_cache - net/mlx5e: kTLS, Destroy key object after destroying the TIS - net/mlx5e: Fix inner tirs handling - net/mlx5: Fix memory leak in mlx5_events_init - net/mlx5e: Update netdev txq on completions during closure - net/mlx5: Fix error flow in case of function_setup failure - net/mlx5: Annotate mutex destroy for root ns - net/tls: fix encryption error checking - net/tls: free record only on encryption error - net: sun: fix missing release regions in cas_init_one(). - net/mlx4_core: fix a memory leak bug. - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails - ARM: dts: rockchip: fix phy nodename for rk3228-evb - ARM: dts: rockchip: fix phy nodename for rk3229-xms6 - arm64: dts: rockchip: fix status for in rk3328-evb.dts - arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node - ARM: dts: rockchip: swap clock-names of gpu nodes - ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi - gpio: tegra: mask GPIO IRQs during IRQ shutdown - ALSA: usb-audio: add mapping for ASRock TRX40 Creator - net: microchip: encx24j600: add missed kthread_stop - gfs2: move privileged user check to gfs2_quota_lock_check - gfs2: Grab glock reference sooner in gfs2_add_revoke - drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate - drm/amd/powerplay: perform PG ungate prior to CG ungate - drm/amdgpu: Use GEM obj reference for KFD BOs - cachefiles: Fix race between read_waiter and read_copier involving op->to_do - usb: dwc3: pci: Enable extcon driver for Intel Merrifield - usb: phy: twl6030-usb: Fix a resource leak in an error handling path in 'twl6030_usb_probe()' - usb: gadget: legacy: fix redundant initialization warnings - net: freescale: select CONFIG_FIXED_PHY where needed - IB/i40iw: Remove bogus
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
This bug was fixed in the package linux - 5.3.0-62.56 --- linux (5.3.0-62.56) eoan; urgency=medium * CVE-2020-0543 - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when not supported * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * Eoan update: upstream stable patchset 2020-06-05 (LP: #1882303) - i2c: dev: Fix the race between the release of i2c_dev and cdev - KVM: SVM: Fix potential memory leak in svm_cpu_init() - ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() - evm: Check also if *tfm is an error pointer in init_desc() - ima: Fix return value of ima_write_policy() - mtd: spinand: Propagate ECC information to the MTD structure - fix multiplication overflow in copy_fdtable() - ubifs: remove broken lazytime support - iommu/amd: Fix over-read of ACPI UID from IVRS table - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' - ubi: Fix seq_file usage in detailed_erase_block_info debugfs file - gcc-common.h: Update for GCC 10 - HID: multitouch: add eGalaxTouch P80H84 support - HID: alps: Add AUI1657 device ID - HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV - scsi: qla2xxx: Delete all sessions before unregister local nvme port - configfs: fix config_item refcnt leak in configfs_rmdir() - vhost/vsock: fix packet delivery order to monitoring devices - aquantia: Fix the media type of AQC100 ethernet controller in the driver - component: Silence bind error on -EPROBE_DEFER - scsi: ibmvscsi: Fix WARN_ON during event pool release - HID: i2c-hid: reset Synaptics SYNA2393 on resume - x86/apic: Move TSC deadline timer debug printk - gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() - HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock - ceph: fix double unlock in handle_cap_export() - stmmac: fix pointer check after utilization in stmmac_interrupt - USB: core: Fix misleading driver bug report - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA - ARM: futex: Address build warning - padata: Replace delayed timer with immediate workqueue in padata_reorder - padata: initialize pd->cpu with effective cpumask - padata: purge get_cpu and reorder_via_wq from padata_do_serial - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option - ALSA: pcm: fix incorrect hw_base increase - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme - ALSA: hda/realtek - Add more fixup entries for Clevo machines - drm/etnaviv: fix perfmon domain interation - apparmor: fix potential label refcnt leak in aa_change_profile - apparmor: Fix aa_label refcnt leak in policy_update - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' - dmaengine: owl: Use correct lock in owl_dma_get_pchan() - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance. - powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE - powerpc/64s: Disable STRICT_KERNEL_RWX - media: fdp1: Fix R-Car M3-N naming in debug message - Revert "net/ibmvnic: Fix EOI when running in XIVE mode" - Revert "gfs2: Don't demote a glock until its revokes are written" - staging: iio: ad2s1210: Fix SPI reading - staging: greybus: Fix uninitialized scalar variable - iio: sca3000: Remove an erroneous 'get_device()' - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' - misc: rtsx: Add short delay after exit from ASPM - mei: release me_cl object reference - ipack: tpci200: fix error return code in tpci200_register() - rapidio: fix an error in get_user_pages_fast() error handling - rxrpc: Fix a memory leak in rxkad_verify_response() - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() - iio: adc: stm32-adc: fix device used to request dma - iio: adc: stm32-dfsdm: Use dma_request_chan() instead dma_request_slave_channel() - iio: adc: stm32-dfsdm: fix device used to request dma - rxrpc: Trace discarded ACKs - rxrpc: Fix ack discard - ubifs: fix wrong use of crypto_shash_descsize() - i2c: fix missing pm_runtime_put_sync in i2c_device_probe - evm: Fix a small race in init_desc() - afs: Don't unlock fetched data pages until the op completes successfully - mtd: Fix mtd not registered due to nvmem name collision - net/ena: Fix build warning in ena_xdp_set() - x86/mm/cpa: Flush direct map alias during cpa - ibmvnic: Skip fatal error reset after passive init - iommu/amd: Call domain_flush_complete() in update_domain() -
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
** Tags removed: verification-needed-eoan ** Tags added: verification-done-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Confirmed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Confirmed Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
Confirmed this is fixed: brauner@wittgenstein|~ > lxc shell f1-vm root@f1-vm:~# lxc shell f1 root@f1:~# btrfs subvolume create my-subvol root@f1:~# chown 1000:1000 my-subvol root@f1:~# btrfs subvolume delete my-subvol Delete subvolume (no-commit): '/root/my-subvol' ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Confirmed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Confirmed Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Confirmed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Confirmed Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal ** Tags added: verification-needed-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Confirmed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Confirmed Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
** Changed in: linux (Ubuntu Eoan) Status: New => Fix Committed ** Changed in: linux (Ubuntu Focal) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Confirmed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Confirmed Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1879688] Re: shiftfs: fix btrfs snapshot deletion
** Also affects: linux (Ubuntu Groovy) Importance: Undecided Assignee: Christian Brauner (cbrauner) Status: Confirmed ** Also affects: linux (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Eoan) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Confirmed Status in linux source package in Eoan: New Status in linux source package in Focal: New Status in linux source package in Groovy: Confirmed Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
