current/SOURCES/fs-require-cap_sys_admin-in-target-namespace-for-idm.patch

From 9d77d7dea41f471323eb8a912c506fa3ae2f15b3 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Tue, 16 Aug 2022 11:47:52 -0500
Subject: fs: require CAP_SYS_ADMIN in target namespace for idmapped mounts

From: Seth Forshee <sforshee@digitalocean.com>

[ Upstream commit bf1ac16edf6770a92bc75cf2373f1f9feea398a4 ]

Idmapped mounts should not allow a user to map file ownsership into a
range of ids which is not under the control of that user. However, we
currently don't check whether the mounter is privileged wrt to the
target user namespace.

Currently no FS_USERNS_MOUNT filesystems support idmapped mounts, thus
this is not a problem as only CAP_SYS_ADMIN in init_user_ns is allowed
to set up idmapped mounts. But this could change in the future, so add a
check to refuse to create idmapped mounts when the mounter does not have
CAP_SYS_ADMIN in the target user namespace.

Fixes: bd303368b776 ("fs: support mapped mounts of mapped filesystems")
Signed-off-by: Seth Forshee <sforshee@digitalocean.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Link: https://lore.kernel.org/r/20220816164752.2595240-1-sforshee@digitalocean.com
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/namespace.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c
index e6a7e769d25dd..a59f8d645654a 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -4238,6 +4238,13 @@ static int build_mount_idmapped(const struct mount_attr *attr, size_t usize,
                err = -EPERM;
                goto out_fput;
        }
+
+       /* We're not controlling the target namespace. */
+       if (!ns_capable(mnt_userns, CAP_SYS_ADMIN)) {
+               err = -EPERM;
+               goto out_fput;
+       }
+
        kattr->mnt_userns = get_user_ns(mnt_userns);
 
 out_fput:
-- 
2.35.1

1	From 9d77d7dea41f471323eb8a912c506fa3ae2f15b3 Mon Sep 17 00:00:00 2001
2	From: Sasha Levin <sashal@kernel.org>
3	Date: Tue, 16 Aug 2022 11:47:52 -0500
4	Subject: fs: require CAP_SYS_ADMIN in target namespace for idmapped mounts
5
6	From: Seth Forshee <sforshee@digitalocean.com>
7
8	[ Upstream commit bf1ac16edf6770a92bc75cf2373f1f9feea398a4 ]
9
10	Idmapped mounts should not allow a user to map file ownsership into a
11	range of ids which is not under the control of that user. However, we
12	currently don't check whether the mounter is privileged wrt to the
13	target user namespace.
14
15	Currently no FS_USERNS_MOUNT filesystems support idmapped mounts, thus
16	this is not a problem as only CAP_SYS_ADMIN in init_user_ns is allowed
17	to set up idmapped mounts. But this could change in the future, so add a
18	check to refuse to create idmapped mounts when the mounter does not have
19	CAP_SYS_ADMIN in the target user namespace.
20
21	Fixes: bd303368b776 ("fs: support mapped mounts of mapped filesystems")
22	Signed-off-by: Seth Forshee <sforshee@digitalocean.com>
23	Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
24	Link: https://lore.kernel.org/r/20220816164752.2595240-1-sforshee@digitalocean.com
25	Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
26	Signed-off-by: Sasha Levin <sashal@kernel.org>
27	---
28	fs/namespace.c \| 7 +++++++
29	1 file changed, 7 insertions(+)
30
31	diff --git a/fs/namespace.c b/fs/namespace.c
32	index e6a7e769d25dd..a59f8d645654a 100644
33	--- a/fs/namespace.c
34	+++ b/fs/namespace.c
35	@@ -4238,6 +4238,13 @@ static int build_mount_idmapped(const struct mount_attr *attr, size_t usize,
36	err = -EPERM;
37	goto out_fput;
38	}
39	+
40	+ /* We're not controlling the target namespace. */
41	+ if (!ns_capable(mnt_userns, CAP_SYS_ADMIN)) {
42	+ err = -EPERM;
43	+ goto out_fput;
44	+ }
45	+
46	kattr->mnt_userns = get_user_ns(mnt_userns);
47
48	out_fput:
49	--
50	2.35.1
51