Backport namespaced fscaps to xenial 4.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Seth Forshee | ||
Xenial |
Fix Released
|
Medium
|
Seth Forshee |
Bug Description
SRU Justification
Impact: Support for using filesystem capabilities in unprivileged user namespaces was added upstream in Linux 4.14. This is a useful feature that allows unprivileged containers to set fscaps that are valid only in user namespaces where a specific kuid is mapped to root. This allows for e.g. support for Linux distros within lxd which make use of filesystem capabilities.
Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file capabilities" and any subsequent fixes to xenial 4.4.
Test Case: Test use of fscaps within a lxd container.
Regression Potential: This has been upstream since 4.14 (and thus is present in bionic), and the backport to xenial 4.4 was straightforward, so regression potential is low.
CVE References
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Seth Forshee (sforshee) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
summary: |
- Backport unprivileged fscaps to xenial 4.4 + Backport namespaced fscaps to xenial 4.4 |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: | added: verification-done-xenial |
tags: | added: cscc |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- xenial' to 'verification- done-xenial' . If the problem still exists, change the tag 'verification- needed- xenial' to 'verification- failed- xenial' .
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!