Confirmed this is fixed: brauner@wittgenstein|~ > lxc shell f1-vm root@f1-vm:~# lxc shell f1 root@f1:~# btrfs subvolume create my-subvol root@f1:~# chown 1000:1000 my-subvol root@f1:~# btrfs subvolume delete my-subvol Delete subvolume (no-commit): '/root/my-subvol'
** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1879688 Title: shiftfs: fix btrfs snapshot deletion Status in linux package in Ubuntu: Confirmed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Confirmed Bug description: SRU Justification Impact: Stéphane discovered a problem during NorthSec which makes heavy use of shiftfs. In containers with a btrfs root filesystem that make use of shiftfs userns root is not able to delete subvolumes that have been created by another users which it would be able to do otherwise. This makes it impossible for LXD to delete nested containers. To reproduce this as root in the container: btrfs subvolume create my-subvol chown 1000:1000 my-subvol btrfs subvolume delete my-subvol The deletion will fail when it should have succeeded. Fix: For improved security we drop all capabilities before we forward btrfs ioctls in shiftfs. To fix the above problem we can retain the CAP_DAC_OVERRIDE capability only if we are userns root. Regression Potential: Limited to shiftfs. Even though we drop all capabilities in all capability sets we really mostly care about dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained in the underlay would allow you to list subvolumes you shouldn't be able to list. This fix only retains CAP_DAC_OVERRIDE and only for the deletion of subvolumes and only by userns root. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
