On Fri, Apr 16, 2021 at 09:56:08PM +0200, Salvatore Bonaccorso wrote:
Hi Greg, hi Sasha
Please consider to apply commit 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into vfs_setxattr()") to stable series at least back to 4.19.y. It applies to there (but have not tested older series) and could test a build on top of 5.10.y with the commit.
The commit was applied in 5.11-rc1 and from the commit message:
vfs: move cap_convert_nscap() call into vfs_setxattr() cap_convert_nscap() does permission checking as well as conversion of the xattr value conditionally based on fs's user-ns. This is needed by overlayfs and probably other layered fs (ecryptfs) and is what vfs_foo() is supposed to do anyway.
Does this actually solve an in-kernel problem, or is only an issue for out-of-tree filesystems?
Additionally, in fact additionally for distribtuions kernels which do allow unprivileged overlayfs mounts this as as well broader consequences, as explained in https://www.openwall.com/lists/oss-security/2021/04/16/1 .
That's an out-of-tree issue from what I can tell, what in-kernel issue does the above commit resolve? Or am I reading that report incorrectly?
thanks,
greg k-h