ACK / APPLIED[Unstable]: [SRU][UNSTABLE/EOAN/FOCAL][PATCH] UBUNTU: SAUCE: shiftfs: let userns root destroy subvolumes from other users

[Seth Forshee]

On Wed, May 20, 2020 at 01:44:27PM +0200, Christian Brauner wrote:
> BugLink: https://bugs.launchpad.net/bugs/1879688
> 
> Stéphane reported a bug found during NorthSec that makes heavy use of
> shiftfs. When a subvolume or snapshot is created as userns root in the
> container and then chowned to another user a delete as the root user
> will fail. The reason for this is that we drop all capabilities as a
> safety measure before calling btrfs ioctls. The only workable fix I
> could think of is to retain the CAP_DAC_OVERRIDE capability for the
> BTRFS_IOC_SNAP_DESTROY ioctl. All other solutions would be way more
> invasive.
> 
> Cc: Seth Forshee <seth.forshee at canonical.com>
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

This looks safe. We're using the creator creds, which will be ns-root
for the shiftfs s_user_ns. So the DAC override capability is only valid
in that namepsace, which must be current_user_ns at the time of the
check, and inode being checked must be owned by a uid/gid mapped in the
namespace. Since it's restricted to namespace root, the additional
capabilities are limited to uids towards which the user is already
privileged. From what I see of how this will impact the snapshot delete
operation, this seems fine.

It's ugly, but so is everything related to allowing these btrfs ioctls
to be passed through shiftfs.

Acked-by: Seth Forshee <seth.forshee at canonical.com>

Applied to unstable/master, thanks!