0e85048f53
Change file related checks to use user namespaces and make sure involved uids/gids are mappable in the current namespace. Note that checks without file ownership information will still not take user namespaces into account, as some of these should be handled via 'zfs allow' (otherwise root in a user namespace could issue commands such as `zpool export`). This also adds an initial user namespace regression test for the setgid bit loss, with a user_ns_exec helper usable in further tests. Additionally, configure checks for the required user namespace related features are added for: * ns_capable * kuid/kgid_has_mapping() * user_ns in cred_t Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Closes #6800 Closes #7270
68 lines
1.6 KiB
Plaintext
68 lines
1.6 KiB
Plaintext
dnl #
|
|
dnl # 2.6.38 API change
|
|
dnl # ns_capable() was introduced
|
|
dnl #
|
|
AC_DEFUN([ZFS_AC_KERNEL_NS_CAPABLE], [
|
|
AC_MSG_CHECKING([whether ns_capable exists])
|
|
ZFS_LINUX_TRY_COMPILE([
|
|
#include <linux/capability.h>
|
|
],[
|
|
ns_capable((struct user_namespace *)NULL, CAP_SYS_ADMIN);
|
|
],[
|
|
AC_MSG_RESULT(yes)
|
|
AC_DEFINE(HAVE_NS_CAPABLE, 1,
|
|
[ns_capable exists])
|
|
],[
|
|
AC_MSG_RESULT(no)
|
|
])
|
|
])
|
|
|
|
dnl #
|
|
dnl # 2.6.39 API change
|
|
dnl # struct user_namespace was added to struct cred_t as
|
|
dnl # cred->user_ns member
|
|
dnl # Note that current_user_ns() was added in 2.6.28.
|
|
dnl #
|
|
AC_DEFUN([ZFS_AC_KERNEL_CRED_USER_NS], [
|
|
AC_MSG_CHECKING([whether cred_t->user_ns exists])
|
|
ZFS_LINUX_TRY_COMPILE([
|
|
#include <linux/cred.h>
|
|
],[
|
|
struct cred cr;
|
|
cr.user_ns = (struct user_namespace *)NULL;
|
|
],[
|
|
AC_MSG_RESULT(yes)
|
|
AC_DEFINE(HAVE_CRED_USER_NS, 1,
|
|
[cred_t->user_ns exists])
|
|
],[
|
|
AC_MSG_RESULT(no)
|
|
])
|
|
])
|
|
|
|
dnl #
|
|
dnl # 3.4 API change
|
|
dnl # kuid_has_mapping() and kgid_has_mapping() were added to distinguish
|
|
dnl # between internal kernel uids/gids and user namespace uids/gids.
|
|
dnl #
|
|
AC_DEFUN([ZFS_AC_KERNEL_KUID_HAS_MAPPING], [
|
|
AC_MSG_CHECKING([whether kuid_has_mapping/kgid_has_mapping exist])
|
|
ZFS_LINUX_TRY_COMPILE([
|
|
#include <linux/uidgid.h>
|
|
],[
|
|
kuid_has_mapping((struct user_namespace *)NULL, KUIDT_INIT(0));
|
|
kgid_has_mapping((struct user_namespace *)NULL, KGIDT_INIT(0));
|
|
],[
|
|
AC_MSG_RESULT(yes)
|
|
AC_DEFINE(HAVE_KUID_HAS_MAPPING, 1,
|
|
[kuid_has_mapping/kgid_has_mapping exist])
|
|
],[
|
|
AC_MSG_RESULT(no)
|
|
])
|
|
])
|
|
|
|
AC_DEFUN([ZFS_AC_KERNEL_USERNS_CAPABILITIES], [
|
|
ZFS_AC_KERNEL_NS_CAPABLE
|
|
ZFS_AC_KERNEL_CRED_USER_NS
|
|
ZFS_AC_KERNEL_KUID_HAS_MAPPING
|
|
])
|