From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marian Marinov Subject: ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace Date: Tue, 29 Apr 2014 16:49:14 +0300 Message-ID: <535FADDA.2070803@1h.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, LXC development mailing-list , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" List-Id: containers.vger.kernel.org Hello, when using user namespaces I found a bug in the capability checks done by ioctl. If someone tries to use chattr +i while in a different user namespace it will get the following: ioctl(3, EXT2_IOC_SETFLAGS, 0x7fffa4fedacc) = -1 EPERM (Operation not permitted) I'm proposing a fix to this, by replacing the capable(CAP_LINUX_IMMUTABLE) check with ns_capable(current_cred()->user_ns, CAP_LINUX_IMMUTABLE). If you agree I can send patches for all filesystems. I'm proposing the following patch: --- fs/ext4/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index d011b69..25683d0 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -265,7 +265,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) * This test looks nicer. Thanks to Pauline Middelink */ if ((flags ^ oldflags) & (EXT4_APPEND_FL | EXT4_IMMUTABLE_FL)) { - if (!capable(CAP_LINUX_IMMUTABLE)) + if (!ns_capable(current_cred()->user_ns, CAP_LINUX_IMMUTABLE)) goto flags_out; } -- 1.8.4 -- Marian Marinov Founder & CEO of 1H Ltd. Jabber/GTalk: hackman-/eSpBmjxGS4dnm+yROfE0A@public.gmane.org ICQ: 7556201 Mobile: +359 886 660 270