Public bug reported:
SRU Justification
Impact: Stéphane discovered a problem during NorthSec which makes heavy
use of shiftfs. In containers with a btrfs root filesystem that make use
of shiftfs userns root is not able to delete subvolumes that have been
created by another users which it would be able to do otherwise. This
makes it impossible for LXD to delete nested containers.
To reproduce this as root in the container:
btrfs subvolume create my-subvol
chown 1000:1000 my-subvol
btrfs subvolume delete my-subvol
The deletion will fail when it should have succeeded.
Fix: For improved security we drop all capabilities before we forward
btrfs ioctls in shiftfs. To fix the above problem we can retain the
CAP_DAC_OVERRIDE capability only if we are userns root.
Regression Potential: Limited to shiftfs. Even though we drop all
capabilities in all capability sets we really mostly care about dropping
CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to
traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the
underlay would allow you to list subvolumes you shouldn't be able to
list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion
of subvolumes and only by userns root.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Christian Brauner (cbrauner)
Status: Confirmed
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Christian Brauner (cbrauner)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879688
Title:
shiftfs: fix btrfs snapshot deletion
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
