shiftfs: fix btrfs snapshot deletion

Bug #1879688 reported by Christian Brauner on 2020-05-20
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Groovy
Eoan
Undecided
Unassigned
Focal
Undecided
Unassigned
Groovy
Undecided
Christian Brauner

Bug Description

SRU Justification

Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers.

To reproduce this as root in the container:
btrfs subvolume create my-subvol
chown 1000:1000 my-subvol
btrfs subvolume delete my-subvol

The deletion will fail when it should have succeeded.

Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root.

Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root.

Changed in linux (Ubuntu):
status: New → Confirmed
assignee: nobody → Christian Brauner (cbrauner)
Changed in linux (Ubuntu Eoan):
status: New → Fix Committed
Changed in linux (Ubuntu Focal):
status: New → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
tags: added: verification-needed-eoan

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Christian Brauner (cbrauner) wrote :

Confirmed this is fixed:

brauner@wittgenstein|~
> lxc shell f1-vm
root@f1-vm:~# lxc shell f1
root@f1:~# btrfs subvolume create my-subvol
root@f1:~# chown 1000:1000 my-subvol
root@f1:~# btrfs subvolume delete my-subvol
Delete subvolume (no-commit): '/root/my-subvol'

tags: added: verification-done-focal
removed: verification-needed-focal
tags: added: verification-done-eoan
removed: verification-needed-eoan

All autopkgtests for the newly accepted linux-oracle-5.4 (5.4.0-1019.19~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-oracle-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Launchpad Janitor (janitor) wrote :
Download full text (30.0 KiB)

This bug was fixed in the package linux - 5.4.0-40.44

---------------
linux (5.4.0-40.44) focal; urgency=medium

  * linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120)
    - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and
      -tools-host

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691)
    - e1000e: Disable TSO for buffer overrun workaround

  * CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported

  * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly
    when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147)
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before
      association for 11N chip"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being
      connected"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support"
    - rtw88: add a debugfs entry to dump coex's info
    - rtw88: add a debugfs entry to enable/disable coex mechanism
    - rtw88: 8723d: Add coex support
    - SAUCE: rtw88: coex: 8723d: set antanna control owner
    - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases
    - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier

  * CPU stress test fails with focal kernel (LP: #1867900)
    - [Config] Disable hisi_sec2 temporarily

  * Enforce all config annotations (LP: #1879327)
    - [Config]: do not enforce CONFIG_VERSION_SIGNATURE
    - [Config]: prepare to enforce all
    - [Config]: enforce all config options

  * Focal update: v5.4.44 upstream stable release (LP: #1881927)
    - ax25: fix setsockopt(SO_BINDTODEVICE)
    - dpaa_eth: fix usage as DSA master, try 3
    - net: don't return invalid table id error when we fall back to PF_UNSPEC
    - net: dsa: mt7530: fix roaming from DSA user ports
    - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
    - __netif_receive_skb_core: pass skb by reference
    - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
    - net: ipip: fix wrong address family in init error path
    - net/mlx5: Add command entry handling completion
    - net: mvpp2: fix RX hashing for non-10G ports
    - net: nlmsg_cancel() if put fails for nhmsg
    - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
    - net: revert "net: get rid of an signed integer overflow in
      ip_idents_reserve()"
    - net sched: fix reporting the first-time use timestamp
    - net/tls: fix race condition causing kernel panic
    - nexthop: Fix attribute checking for groups
    - r8152: support additional Microsoft Surface Ethernet Adapter variant
    - sctp: Don't add the shutdown timer if its already been added
    - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and
      socket is closed
    - tipc: block BH before using dst_cache
    - net/mlx5e: kTLS, Destroy key object after destroying the TIS
    - net/mlx5e: Fix inner tirs handling
    - net/m...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (32.7 KiB)

This bug was fixed in the package linux - 5.3.0-62.56

---------------
linux (5.3.0-62.56) eoan; urgency=medium

  * CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * Eoan update: upstream stable patchset 2020-06-05 (LP: #1882303)
    - i2c: dev: Fix the race between the release of i2c_dev and cdev
    - KVM: SVM: Fix potential memory leak in svm_cpu_init()
    - ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash()
    - evm: Check also if *tfm is an error pointer in init_desc()
    - ima: Fix return value of ima_write_policy()
    - mtd: spinand: Propagate ECC information to the MTD structure
    - fix multiplication overflow in copy_fdtable()
    - ubifs: remove broken lazytime support
    - iommu/amd: Fix over-read of ACPI UID from IVRS table
    - i2c: mux: demux-pinctrl: Fix an error handling path in
      'i2c_demux_pinctrl_probe()'
    - ubi: Fix seq_file usage in detailed_erase_block_info debugfs file
    - gcc-common.h: Update for GCC 10
    - HID: multitouch: add eGalaxTouch P80H84 support
    - HID: alps: Add AUI1657 device ID
    - HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead
    - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV
    - scsi: qla2xxx: Delete all sessions before unregister local nvme port
    - configfs: fix config_item refcnt leak in configfs_rmdir()
    - vhost/vsock: fix packet delivery order to monitoring devices
    - aquantia: Fix the media type of AQC100 ethernet controller in the driver
    - component: Silence bind error on -EPROBE_DEFER
    - scsi: ibmvscsi: Fix WARN_ON during event pool release
    - HID: i2c-hid: reset Synaptics SYNA2393 on resume
    - x86/apic: Move TSC deadline timer debug printk
    - gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp()
    - HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock
    - ceph: fix double unlock in handle_cap_export()
    - stmmac: fix pointer check after utilization in stmmac_interrupt
    - USB: core: Fix misleading driver bug report
    - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA
    - ARM: futex: Address build warning
    - padata: Replace delayed timer with immediate workqueue in padata_reorder
    - padata: initialize pd->cpu with effective cpumask
    - padata: purge get_cpu and reorder_via_wq from padata_do_serial
    - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio
      option
    - ALSA: pcm: fix incorrect hw_base increase
    - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme
    - ALSA: hda/realtek - Add more fixup entries for Clevo machines
    - drm/etnaviv: fix perfmon domain interation
    - apparmor: fix potential label refcnt leak in aa_change_profile
    - apparmor: Fix aa_label refcnt leak in policy_update
    - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()'
    - dmaengine: owl: Use correct lock in owl_dma_get_pchan()
    - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance.
    - powerpc: Rem...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers