shiftfs: prevent exceeding project quotas
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Christian Brauner | ||
Disco |
Fix Released
|
Medium
|
Unassigned | ||
Eoan |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Justification
Impact:
Currently shiftfs allows to exceed project quota and reserved space on e.g. ext2. See https:/
Fix:
Drop CAP_SYS_RESOURCE at superblock creation time from the effective capability set.
Regression Potential:
Limited to shiftfs. Dropping CAP_SYS_RESOURCE from the effective capability set should be fine and actually give us more security.
Test Case:
Try to exceed project quotas on a kernel and filesystem that supports them and see that it fails with the mentioned fix applied.
Target Kernels:
All LTS kernels with shiftfs support.
CVE References
Changed in linux (Ubuntu): | |
assignee: | nobody → Christian Brauner (cbrauner) |
status: | New → In Progress |
Changed in linux (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Eoan): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Disco): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Eoan): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-disco verification-done-eoan removed: verification-needed-disco verification-needed-eoan |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- eoan' to 'verification- done-eoan' . If the problem still exists, change the tag 'verification- needed- eoan' to 'verification- failed- eoan'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!