Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f2ca3796 authored by Dirk Steinmetz's avatar Dirk Steinmetz Committed by Eric W. Biederman
Browse files

namei: permit linking with CAP_FOWNER in userns 



Attempting to hardlink to an unsafe file (e.g. a setuid binary) from
within an unprivileged user namespace fails, even if CAP_FOWNER is held
within the namespace. This may cause various failures, such as a gentoo
installation within a lxc container failing to build and install specific
packages.

This change permits hardlinking of files owned by mapped uids, if
CAP_FOWNER is held for that namespace. Furthermore, it improves consistency
by using the existing inode_owner_or_capable(), which is aware of
namespaced capabilities as of 23adbe12 ("fs,userns: Change
inode_capable to capable_wrt_inode_uidgid").

Signed-off-by: default avatarDirk Steinmetz <public@rsjtdrjgfuzkfg.com>

This is hitting us in Ubuntu during some dpkg upgrades in containers.
When upgrading a file dpkg creates a hard link to the old file to back
it up before overwriting it. When packages upgrade suid files owned by a
non-root user the link isn't permitted, and the package upgrade fails.
This patch fixes our problem.

Tested-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent 6ff33f39

fs/namei.c

+2 −5
Original line number Diff line number Diff line
@@ -955,26 +955,23 @@ static bool safe_hardlink_source(struct inode *inode) 
 *  - sysctl_protected_hardlinks enabled

 *  - fsuid does not match inode

 *  - hardlink source is unsafe (see safe_hardlink_source() above)

 *  - not CAP_FOWNER

 *  - not CAP_FOWNER in a namespace with the inode owner uid mapped

 *

 * Returns 0 if successful, -ve on error.

 */

static int may_linkat(struct path *link)

{

	const struct cred *cred;

	struct inode *inode;



	if (!sysctl_protected_hardlinks)

		return 0;



	cred = current_cred();

	inode = link->dentry->d_inode;



	/* Source inode owner (or CAP_FOWNER) can hardlink all they like,

	 * otherwise, it must be a safe source.

	 */

	if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||

	    capable(CAP_FOWNER))

	if (inode_owner_or_capable(inode) || safe_hardlink_source(inode))

		return 0;



	audit_log_link_denied("linkat", link);