On Fri, Apr 16, 2021 at 09:56:08PM +0200, Salvatore Bonaccorso wrote:
Hi Greg, hi Sasha
Please consider to apply commit 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into vfs_setxattr()") to stable series at least back to 4.19.y. It applies to there (but have not tested older series) and could test a build on top of 5.10.y with the commit.
The commit was applied in 5.11-rc1 and from the commit message:
vfs: move cap_convert_nscap() call into vfs_setxattr()
cap_convert_nscap() does permission checking as well as conversion of the xattr value conditionally based on fs's user-ns.
This is needed by overlayfs and probably other layered fs (ecryptfs) and is what vfs_foo() is supposed to do anyway.
Additionally, in fact additionally for distribtuions kernels which do allow unprivileged overlayfs mounts this as as well broader consequences, as explained in https://www.openwall.com/lists/oss-security/2021/04/16/1 .
Is it needed without the rest of the patches in the series it was sent in (https://lore.kernel.org/linux-fsdevel/20201207163255.564116-1-mszeredi@redha...