[PATCH 1/2] ecryptfs: fix uid translation for setxattr on security.capability

Miklos Szeredi miklos at szeredi.hu
Wed Jan 20 07:52:27 UTC 2021


On Tue, Jan 19, 2021 at 10:11 PM Eric W. Biederman
<ebiederm at xmission.com> wrote:
>
> Miklos Szeredi <mszeredi at redhat.com> writes:
>
> > Prior to commit 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into
> > vfs_setxattr()") the translation of nscap->rootid did not take stacked
> > filesystems (overlayfs and ecryptfs) into account.
> >
> > That patch fixed the overlay case, but made the ecryptfs case worse.
> >
> > Restore old the behavior for ecryptfs that existed before the overlayfs
> > fix.  This does not fix ecryptfs's handling of complex user namespace
> > setups, but it does make sure existing setups don't regress.
>
> Today vfs_setxattr handles handles a delegated_inode and breaking
> leases.  Code that is enabled with CONFIG_FILE_LOCKING.  So unless
> I am missing something this introduces a different regression into
> ecryptfs.

This is in line with all the other cases of ecryptfs passing NULL as
delegated inode.

I'll defer this to the maintainer of ecryptfs.

Thanks,
Miklos



More information about the Linux-security-module-archive mailing list