Merge branch 'userns-for-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git...

Pull user namespace update from Eric Biederman:
 "There are several pieces of active development, but only a single
  change made it through the gauntlet to be ready for v5.12. That change
  is tightening up the semantics of the v3 capabilities xattr. It is
  just short of being a bug-fix/security issue as no user space is known
  to even generate the problem case"

* 'userns-for-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  capabilities: Don't allow writing ambiguous v3 file capabilities

diff --git a/security/commoncap.c b/security/commoncap.c
index 26c1cb7..78598be 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -500,7 +500,8 @@ int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size)
        __u32 magic, nsmagic;
        struct inode *inode = d_backing_inode(dentry);
        struct user_namespace *task_ns = current_user_ns(),
-               *fs_ns = inode->i_sb->s_user_ns;
+               *fs_ns = inode->i_sb->s_user_ns,
+               *ancestor;
        kuid_t rootid;
        size_t newsize;
 
@@ -523,6 +524,15 @@ int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size)
        if (nsrootid == -1)
                return -EINVAL;
 
+       /*
+        * Do not allow allow adding a v3 filesystem capability xattr
+        * if the rootid field is ambiguous.
+        */
+       for (ancestor = task_ns->parent; ancestor; ancestor = ancestor->parent) {
+               if (from_kuid(ancestor, rootid) == 0)
+                       return -EINVAL;
+       }
+
        newsize = sizeof(struct vfs_ns_cap_data);
        nscap = kmalloc(newsize, GFP_ATOMIC);
        if (!nscap)