lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140722231257.GT4453@dastard>
Date:	Wed, 23 Jul 2014 09:12:57 +1000
From:	Dave Chinner <david@...morbit.com>
To:	Kamal Mostafa <kamal@...onical.com>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	kernel-team@...ts.ubuntu.com,
	Dwight Engen <dwight.engen@...cle.com>, Ben Myers <bpm@....com>
Subject: Re: [PATCH 3.8 076/116] xfs: ioctl check for capabilities in the
 current user namespace

On Tue, Jul 22, 2014 at 03:21:27PM -0700, Kamal Mostafa wrote:
> 3.8.13.27 -stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Dwight Engen <dwight.engen@...cle.com>
> 
> commit fd5e2aa8653665ae1cc60f7aca1069abdbcad3f6 upstream.
> 
> Use inode_capable() to check if SUID|SGID bits should be cleared to match
> similar check in inode_change_ok().
> 
> The check for CAP_LINUX_IMMUTABLE was not modified since all other file
> systems also check against init_user_ns rather than current_user_ns.
> 
> Only allow changing of projid from init_user_ns.
> 
> Reviewed-by: Dave Chinner <dchinner@...hat.com>
> Reviewed-by: Gao feng <gaofeng@...fujitsu.com>
> Signed-off-by: Dwight Engen <dwight.engen@...cle.com>
> Signed-off-by: Ben Myers <bpm@....com>
> [ kamal: 3.8-stable prereq for
>   23adbe1 fs,userns: Change inode_capable to capable_wrt_inode_uidgid ]
> Signed-off-by: Kamal Mostafa <kamal@...onical.com>
> ---
>  fs/xfs/xfs_ioctl.c  | 11 +++++++++--
>  kernel/capability.c |  1 +
>  2 files changed, 10 insertions(+), 2 deletions(-)

Why are you backporting this to 3.8? namespace support didn't come
along until much later, so grabbing one patch out of themiddle of a
patch series to allow userns support in XFS is likely to cause
problems because there's no supporting code in XFS it.

Please don't randomly cherry pick userns support patches that change
permission checks back into kernels that don't have userns support.

Cheers,

Dave.
-- 
Dave Chinner
david@...morbit.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ