Backport namespaced fscaps to xenial 4.4

Bug #1778286 reported by Seth Forshee on 2018-06-22
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Seth Forshee
Xenial
Medium
Seth Forshee

Bug Description

SRU Justification

Impact: Support for using filesystem capabilities in unprivileged user namespaces was added upstream in Linux 4.14. This is a useful feature that allows unprivileged containers to set fscaps that are valid only in user namespaces where a specific kuid is mapped to root. This allows for e.g. support for Linux distros within lxd which make use of filesystem capabilities.

Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file capabilities" and any subsequent fixes to xenial 4.4.

Test Case: Test use of fscaps within a lxd container.

Regression Potential: This has been upstream since 4.14 (and thus is present in bionic), and the backport to xenial 4.4 was straightforward, so regression potential is low.

Seth Forshee (sforshee) on 2018-06-22
Changed in linux (Ubuntu Xenial):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Seth Forshee (sforshee) on 2018-06-22
summary: - Backport unprivileged fscaps to xenial 4.4
+ Backport namespaced fscaps to xenial 4.4
description: updated
description: updated
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Stéphane Graber (stgraber) wrote :

Installing the LXD snap from edge channel (for fscaps support), on the current 4.4 kernel:

root@djanet:~# lxc launch ubuntu-daily:cosmic c1
To start your first container, try: lxc launch ubuntu:18.04

Creating c1
Starting c1
root@djanet:~# lxc exec c1 -- setcap cap_net_raw+ep /usr/bin/mtr-packet
Failed to set capabilities on file `/usr/bin/mtr-packet' (Operation not permitted)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file

As expected on that kernel, the caps were lost when the container got uid shifted and manually setting the caps from within the container fails.

After switching to 4.4.0-132:

root@djanet:~# lxc exec c1 -- setcap cap_net_raw+ep /usr/bin/mtr-packet
root@djanet:~# lxc exec c1 -- getcap /usr/bin/mtr-packet
/usr/bin/mtr-packet = cap_net_raw+ep

tags: added: verification-done
removed: verification-needed-xenial
tags: added: verification-done-xenial
Launchpad Janitor (janitor) wrote :
Download full text (16.4 KiB)

This bug was fixed in the package linux - 4.4.0-134.160

---------------
linux (4.4.0-134.160) xenial; urgency=medium

  * linux: 4.4.0-134.160 -proposed tracker (LP: #1787177)

  * locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

  * Backport namespaced fscaps to xenial 4.4 (LP: #1778286)
    - Introduce v3 namespaced file capabilities
    - commoncap: move assignment of fs_ns to avoid null pointer dereference
    - capabilities: fix buffer overread on very short xattr
    - commoncap: Handle memory allocation failure.

  * Xenial update to 4.4.140 stable release (LP: #1784409)
    - usb: cdc_acm: Add quirk for Uniden UBC125 scanner
    - USB: serial: cp210x: add CESINEL device ids
    - USB: serial: cp210x: add Silicon Labs IDs for Windows Update
    - n_tty: Fix stall at n_tty_receive_char_special().
    - staging: android: ion: Return an ERR_PTR in ion_map_kernel
    - n_tty: Access echo_* variables carefully.
    - x86/boot: Fix early command-line parsing when matching at end
    - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
    - i2c: rcar: fix resume by always initializing registers before transfer
    - ipv4: Fix error return value in fib_convert_metrics()
    - kprobes/x86: Do not modify singlestep buffer while resuming
    - nvme-pci: initialize queue memory before interrupts
    - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
    - ARM: dts: imx6q: Use correct SDMA script for SPI5 core
    - ubi: fastmap: Correctly handle interrupted erasures in EBA
    - mm: hugetlb: yield when prepping struct pages
    - tracing: Fix missing return symbol in function_graph output
    - scsi: sg: mitigate read/write abuse
    - s390: Correct register corruption in critical section cleanup
    - drbd: fix access after free
    - cifs: Fix infinite loop when using hard mount option
    - jbd2: don't mark block as modified if the handle is out of credits
    - ext4: make sure bitmaps and the inode table don't overlap with bg
      descriptors
    - ext4: always check block group bounds in ext4_init_block_bitmap()
    - ext4: only look at the bg_flags field if it is valid
    - ext4: verify the depth of extent tree in ext4_find_extent()
    - ext4: include the illegal physical block in the bad map ext4_error msg
    - ext4: clear i_data in ext4_inode_info when removing inline data
    - ext4: add more inode number paranoia checks
    - ext4: add more mount time checks of the superblock
    - ext4: check superblock mapped prior to committing
    - HID: i2c-hid: Fix "incomplete report" noise
    - HID: hiddev: fix potential Spectre v1
    - HID: debug: check length before copy_to_user()
    - x86/mce: Detect local MCEs properly
    - x86/mce: Fix incorrect "Machine check from unknown source" message
    - media: cx25840: Use subdev host data for PLL override
    - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
    - dm bufio: avoid sleeping while holding the dm_bufio lock
    - dm bufio: drop the lock when doing GFP_NOIO allocation
    - mtd: rawnand: mxc: set spa...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Brad Figg (brad-figg) on 2019-07-24
tags: added: cscc
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers