shiftfs: fix btrfs snapshot deletion
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Christian Brauner | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Christian Brauner |
Bug Description
SRU Justification
Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers.
To reproduce this as root in the container:
btrfs subvolume create my-subvol
chown 1000:1000 my-subvol
btrfs subvolume delete my-subvol
The deletion will fail when it should have succeeded.
Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root.
Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root.
CVE References
Changed in linux (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Christian Brauner (cbrauner) |
Changed in linux (Ubuntu Eoan): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | New → Fix Committed |
tags: |
added: verification-done-eoan removed: verification-needed-eoan |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!