Permalink
Browse files

Honor user namespace privileges with zfs unallow

Regular users can only remove permissions from themselves in
addition to requiring the allow permission to do so. It
makes more sense for privileged users in a user namespace
to be able to manage permissions of all users of that
namespace.
Thus, when the user has CAP_SYS_ADMIN in their current
namespace, use the same check as for 'zfs allow' instead.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  • Loading branch information...
Blub committed Nov 7, 2017
1 parent 0c8e0ee commit ae411f7d95da4a7e33072c47d8842e1d640e53c6
@@ -3094,6 +3094,7 @@ zfs_ioc_set_fsacl(zfs_cmd_t *zc)
{
int error;
nvlist_t *fsaclnv = NULL;
cred_t *cr;
if ((error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
zc->zc_iflags, &fsaclnv)) != 0)
@@ -3124,14 +3125,25 @@ zfs_ioc_set_fsacl(zfs_cmd_t *zc)
* the nvlist(s)
*/
error = secpolicy_zfs(CRED());
cr = CRED();
error = secpolicy_zfs(cr);
if (error != 0) {
if (zc->zc_perm_action == B_FALSE) {
/*
* In user namespaces fsacl_map_user_ns already errored if the
* user ids aren't mappable, and when we're privileged within
* our user namespace use the same check for unallow as for
* allow.
*/
if (zc->zc_perm_action == B_FALSE
#if defined(CONFIG_USER_NS) && defined(HAVE_CRED_USER_NS)
|| ns_capable(cr->user_ns, CAP_SYS_ADMIN)
#endif
) {
error = dsl_deleg_can_allow(zc->zc_name,
fsaclnv, CRED());
fsaclnv, cr);
} else {
error = dsl_deleg_can_unallow(zc->zc_name,
fsaclnv, CRED());
fsaclnv, cr);
}
}
@@ -25,3 +25,4 @@ export USER_TESTFS=$TESTPOOL/$TESTFS/user
export USER_TESTDIR=$TESTDIR/user
export STAFF_USER=zfsusr
export STAFF_GROUP=zfsgrp
export OUTSIDE_UID=5000
@@ -65,6 +65,14 @@ log_mustnot chg_usr_exec $STAFF_USER zfs set ${perm}=${perm_state_2} $USER_TESTF
# make sure the staff user *inside* the user namespace functions as expected
log_must user_ns_exec chg_usr_exec $STAFF_USER zfs set ${perm}=${perm_state_2} $USER_TESTFS
log_must user_ns_exec zfs unallow $STAFF_USER ${perm} $USER_TESTFS
# Negative check: Allow an arbitrary user to access the dataset.
# Root in a user namespace which does not have the id mapped should not be
# able to remove the permission.
log_must zfs allow -u $OUTSIDE_UID ${perm},allow $USER_TESTFS
log_must user_ns_exec zfs unallow $OUTSIDE_UID ${perm} $USER_TESTFS
log_must zfs destroy -r $USER_TESTFS
log_pass "Check user mapping in user namespaces"

0 comments on commit ae411f7

Please sign in to comment.