вторник

[Bug 1879688] Autopkgtest regression report (linux-oracle-5.4/5.4.0-1019.19~18.04.1)

All autopkgtests for the newly accepted linux-oracle-5.4 (5.4.0-1019.19~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)


Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-
migration/bionic/update_excuses.html#linux-oracle-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/1879688

Title:
shiftfs: fix btrfs snapshot deletion

Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Eoan:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
Confirmed

Bug description:
SRU Justification

Impact: Stéphane discovered a problem during NorthSec which makes
heavy use of shiftfs. In containers with a btrfs root filesystem that
make use of shiftfs userns root is not able to delete subvolumes that
have been created by another users which it would be able to do
otherwise. This makes it impossible for LXD to delete nested
containers.

To reproduce this as root in the container:
btrfs subvolume create my-subvol
chown 1000:1000 my-subvol
btrfs subvolume delete my-subvol

The deletion will fail when it should have succeeded.

Fix: For improved security we drop all capabilities before we forward
btrfs ioctls in shiftfs. To fix the above problem we can retain the
CAP_DAC_OVERRIDE capability only if we are userns root.

Regression Potential: Limited to shiftfs. Even though we drop all
capabilities in all capability sets we really mostly care about
dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow
you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained
in the underlay would allow you to list subvolumes you shouldn't be
able to list. This fix only retains CAP_DAC_OVERRIDE and only for the
deletion of subvolumes and only by userns root.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions
[SOLVED]: eRROR FIRST SEEN:

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)