Ubuntu
zfs-linux package

ZFS is confused by user namespaces (uid/gid mapping) when used with acltype=posixac

Bug #1567558 reported by Stéphane Graber on 2016-04-07

This bug affects 3 people

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Undecided	Tim Gardner
Xenial	Fix Released	Undecided	Tim Gardner
Yakkety	Fix Released	Undecided	Tim Gardner
zfs-linux (Ubuntu)	Fix Released	Undecided	Unassigned
Xenial	Confirmed	Undecided	Unassigned
Yakkety	Fix Released	Undecided	Unassigned

Bug Description

This report is copy/paste from the following upstream issue: https://github.com/zfsonlinux/zfs/issues/4177

I was asked to file a matching Ubuntu bug for tracking.

Hello,

# First a quick introduction to the world of containers

I'm the project leader for LXC and LXD, working on containers on Linux. We now extensively use the user namespaces to provide an extra layer of security in Linux containers.

The user namespace allows one to map a range of uid and gid from the host or parent namespace into another range of uid and gid of a new namespace.

Typically what's done is that 65536 uids and gids are set aside per non-system users on the host. Those users through a couple of setuid helpers (newuidmap and newgidmap) can then setup a uid and gid map for their processes. Their 65536 allocation is therefore mapped from uid/gid 0 to 65536 of the new namespace, providing a POSIX-compatible environment.

That means that given a user on the host with uid and gid range 100000 through 165536, uid 100 in their container will be mapped to uid 100100 outside of it.

# The problem with ZFS

When using ZFS with acltype=posixacl and an ACL entry on the host set for a uid (or gid) that's then mapped into the container, the container doesn't see the right mapped value when querying the acl from inside the namespace.

# Example with zfs (broken)

root@dakara:~# zfs create lxd/test -o mountpoint=/tmp/test
root@dakara:~# zfs set acltype=posixacl lxd/test
root@dakara:~# cd /tmp/test/
root@dakara:/tmp/test# mkdir a
root@dakara:/tmp/test# setfacl -m default:user:100100:rwX a
root@dakara:/tmp/test# setfacl -m user:100100:rwX a
root@dakara:/tmp/test# getfacl a
# file: a
# owner: root
# group: root
user::rwx
user:100100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:100100:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

root@dakara:/tmp/test# lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /bin/bash
root@dakara:/tmp/test (in userns)# ls -lh
total 512
drwxrwxr-x+ 2 nobody nogroup 2 Jan 7 22:19 a

root@dakara:/tmp/test (in userns)# getfacl -n a
# file: a
# owner: nobody
# group: nogroup
user::rwx
user:4294967295:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:4294967295:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

# Example with ext4 (working)

root@dakara:/tmp/test.ext4# mkdir a

root@dakara:/tmp/test.ext4# setfacl -m default:user:100100:rwX a

root@dakara:/tmp/test.ext4# setfacl -m user:100100:rwX a

root@dakara:/tmp/test.ext4# getfacl a
# file: a
# owner: root
# group: root
user::rwx
user:100100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:100100:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

root@dakara:/tmp/test.ext4# lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /bin/bash
root@dakara:/tmp/test.ext4 (in userns)# ls -lh
total 4.0K
drwxrwxr-x+ 2 nobody nogroup 4.0K Jan 7 22:22 a

root@dakara:/tmp/test.ext4 (in userns)# getfacl -n a
# file: a
# owner: 65534
# group: 65534
user::rwx
user:100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:100:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

# Environment

This was noticed on Ubuntu 14.04 using the zfs stable PPA. I first found it in production environments first with file servers misbehaving due to the problem, then reproduced it on my development systems.

The zfs version here is 0.6.5.3-1~trusty and I've seen this on 3.13, 3.16, 3.19 and 4.2 kernels (not that it should matter, the dkms code was the same). zfs-dkms is at 2.53-zfs1.

The lxc-usernsexec helper tool I'm using there comes from the LXC package in Ubuntu. It essentially causes a call to fork() followed by a call to unshare(CLONE_NEWUSER), then calls the newuidmap and newgidmap setuid helpers with the provided map so that the namespace can be configured properly.

You could reproduce something similar using the simple unshare tool and manual writes to /proc/PID/{u,g}id_map

Tags:

CVE References

Revision history for this message

Richard Laager (rlaager) wrote on 2016-05-06:

This is fixed upstream:
https://github.com/zfsonlinux/zfs/commit/874bd959f4f15b3d4b007160ee7ad3f4111dd341

Richard Laager (rlaager) on 2016-05-06

Changed in linux (Ubuntu):
status:	New → Confirmed
Changed in zfs-linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Richard Laager (rlaager) wrote on 2016-05-06:

@stgraber: If this is something you can reproduce (e.g. in a VM) using zfs-dkms rather than the pre-compiled zfs.ko from linux-image, can you please test from this PPA:
https://launchpad.net/~rlaager/+archive/ubuntu/zfs

The package there has the patch from upstream.

If you do test from my PPA, please remove it from your APT sources when you're done testing. I don't want some future experiment I upload to break your system.

Tim Gardner (timg-tpi) on 2016-05-06

Changed in linux (Ubuntu Xenial):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	New → In Progress
Changed in linux (Ubuntu Yakkety):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	Confirmed → Fix Committed

Kamal Mostafa (kamalmostafa) on 2016-05-06

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-05-15:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in zfs-linux (Ubuntu Xenial):
status:	New → Confirmed

Revision history for this message

Kamal Mostafa (kamalmostafa) wrote on 2016-05-19:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-05-23:

Download full text (16.9 KiB)

This bug was fixed in the package linux - 4.4.0-23.41

---------------
linux (4.4.0-23.41) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
- LP: #1582431

* zfs: disable module checks for zfs when cross-compiling (LP: #1581127)
- [Packaging] disable zfs module checks when cross-compiling

This bug was fixed in the package linux - 4.4.0-23.41

---------------
linux (4.4.0-23.41) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
    - LP: #1582431

* zfs: disable module checks for zfs when cross-compiling (LP: #1581127)
    - [Packaging] disable zfs module checks when cross-compiling

* Xenial update to v4.4.10 stable release (LP: #1580754)
    - Revert "UBUNTU: SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for
      recursive method calls"
    - Revert "UBUNTU: SAUCE: nbd: ratelimit error msgs after socket close"
    - Revert: "powerpc/tm: Check for already reclaimed tasks"
    - RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips
    - ipvs: handle ip_vs_fill_iph_skb_off failure
    - ipvs: correct initial offset of Call-ID header search in SIP persistence
      engine
    - ipvs: drop first packet to redirect conntrack
    - mfd: intel-lpss: Remove clock tree on error path
    - nbd: ratelimit error msgs after socket close
    - ata: ahci_xgene: dereferencing uninitialized pointer in probe
    - mwifiex: fix corner case association failure
    - CNS3xxx: Fix PCI cns3xxx_write_config()
    - clk-divider: make sure read-only dividers do not write to their register
    - soc: rockchip: power-domain: fix err handle while probing
    - clk: rockchip: free memory in error cases when registering clock branches
    - clk: meson: Fix meson_clk_register_clks() signature type mismatch
    - clk: qcom: msm8960: fix ce3_core clk enable register
    - clk: versatile: sp810: support reentrance
    - clk: qcom: msm8960: Fix ce3_src register offset
    - lpfc: fix misleading indentation
    - ath9k: ar5008_hw_cmn_spur_mitigate: add missing mask_m & mask_p
      initialisation
    - mac80211: fix statistics leak if dev_alloc_name() fails
    - tracing: Don't display trigger file for events that can't be enabled
    - MD: make bio mergeable
    - Minimal fix-up of bad hashing behavior of hash_64()
    - mm, cma: prevent nr_isolated_* counters from going negative
    - mm/zswap: provide unique zpool name
    - ARM: EXYNOS: Properly skip unitialized parent clock in power domain on
    - ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
    - xen: Fix page <-> pfn conversion on 32 bit systems
    - xen/balloon: Fix crash when ballooning on x86 32 bit PAE
    - xen/evtchn: fix ring resize when binding new events
    - HID: wacom: Add support for DTK-1651
    - HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk
    - Input: zforce_ts - fix dual touch recognition
    - proc: prevent accessing /proc/<PID>/environ until it's ready
    - mm: update min_free_kbytes from khugepaged after core initialization
    - batman-adv: fix DAT candidate selection (must use vid)
    - batman-adv: Check skb size before using encapsulated ETH+VLAN header
    - batman-adv: Fix broadcast/ogm queue limit on a removed interface
    - batman-adv: Reduce refcnt of removed router when updating route
    - writeback: Fix performance regression in wb_over_bg_thresh()
    - MAINTAINERS: Remove asterisk from EFI directory names
    - x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO
    - ARM: cpuidle: Pass on arm_cpuidle_suspend()'s return value
    - ARC: Add missing io barriers to io{read,write}{16,32}be()
    - x86/sysfb_efi: Fix valid BAR address range check
    - ACPICA: Dispatcher: Update thread ID for recursive method calls
    - powerpc: Fix bad inline asm constraint in create_zero_mask()
    - libahci: save port map for forced port map
    - ata: ahci-platform: Add ports-implemented DT bindings.
    - USB: serial: cp210x: add ID for Link ECU
    - USB: serial: cp210x: add Straizona Focusers device ids
    - nvmem: mxs-ocotp: fix buffer overflow in read
    - gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading
    - drm/amdgpu: make sure vertical front porch is at least 1
    - drm/amdgpu: set metadata pointer to NULL after freeing.
    - iio: ak8975: Fix NULL pointer exception on early interrupt
    - iio: ak8975: fix maybe-uninitialized warning
    - drm/radeon: make sure vertical front porch is at least 1
    - drm/i915/ddi: Fix eDP VDD handling during booting and suspend/resume
    - drm/i915: Fix eDP low vswing for Broadwell
    - drm/i915: Make RPS EI/thresholds multiple of 25 on SNB-BDW
    - drm/i915: Fake HDMI live status
    - lib/test-string_helpers.c: fix and improve string_get_size() tests
    - drm/i915/skl: Fix DMC load on Skylake J0 and K0
    - Linux 4.4.10

* HDMI audio playback noise  observed on AMD Polaris 10/11 GPU (LP: #1577288)
    - ALSA: hda: add AMD Polaris-10/11 AZ PCI IDs with proper driver caps

* [i915_bpo] Update i915 backport driver (LP: #1580114)
    - SAUCE: i915_bpo: Drop is_preliminary from BXT/KBL.
    - SAUCE: i915_bpo: Sync with v4.6-rc7

* CVE-2016-4486 (LP: #1578497)
    - net: fix infoleak in rtnetlink

* CVE-2016-4485 (LP: #1578496)
    - net: fix infoleak in llc

* drm.ko < kernel version 4.5 has a dead lock bug (LP: #1579610)
    - drm: Balance error path for GEM handle allocation

* Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not
    supported by compiler (LP: #1574982)
    - SAUCE: (no-up) disable -pie when gcc has it enabled by default

* system freeze after vt switching (LP: #1542939)
    - drm/atomic: Add __drm_atomic_helper_connector_reset, v2.
    - drm/atomic: Remove drm_atomic_connectors_for_crtc.

* CVE-2016-4558 (LP: #1579140)
    - bpf: fix refcnt overflow

* Kernel Panic on EC2 After Upgrading from 14.04 to 16.04 via do-release-
    upgrade -d (LP: #1573231)
    - SAUCE: (no-up) x86/topology: Handle CPUID bogosity gracefully

* PCI Call Traces  hw csum failure in dmesg with  4.4.0-2-generic
    (LP: #1544978)
    - net/mlx4_en: Fix endianness bug in IPV6 csum calculation

* Missing libunwind support in perf (LP: #1248289)
    - [Config] Add liblzma-dev to enable libunwind support in perf

* thunderbolt hotplug is broken (LP: #1577898)
    - SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for recursive method
      calls

* Kernel can be oopsed using remap_file_pages (LP: #1558120)
    - SAUCE: mm/mmap: fix oopsing on remap_file_pages

* ZFS is confused by user namespaces (uid/gid mapping) when used with
    acltype=posixac (LP: #1567558)
    - zfs: Fix user namespaces uid/gid mapping

* oops when propagating mounts into containers - RIP:
    0010:[<ffffffff8123cb3e>] [<ffffffff8123cb3e>] propagate_one+0xbe/0x1c0
    (LP: #1572316)
    - fs/pnode.c: treat zero mnt_group_id-s as unequal
    - propogate_mnt: Handle the first propogated copy being a slave

* OOPS on wily+ for Haswell-ULT and Broadwell (LP: #1577748)
    - PNP: Add Broadwell to Intel MCH size workaround
    - PNP: Add Haswell-ULT to Intel MCH size workaround

* Xenial update to v4.4.9 stable release (LP: #1578798)
    - block: loop: fix filesystem corruption in case of aio/dio
    - x86/mce: Avoid using object after free in genpool
    - kvm: x86: do not leak guest xcr0 into host interrupt handlers
    - ARM: dts: AM43x-epos: Fix clk parent for synctimer
    - ARM: mvebu: Correct unit address for linksys
    - ARM: OMAP2: Fix up interconnect barrier initialization for DRA7
    - ARM: OMAP2+: hwmod: Fix updating of sysconfig register
    - assoc_array: don't call compare_object() on a node
    - usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host
    - xhci: resume USB 3 roothub first
    - usb: xhci: fix wild pointers in xhci_mem_cleanup
    - xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers
    - usb: hcd: out of bounds access in for_each_companion
    - usb: gadget: f_fs: Fix use-after-free
    - dm cache metadata: fix READ_LOCK macros and cleanup WRITE_LOCK macros
    - dm cache metadata: fix cmd_read_lock() acquiring write lock
    - lib: lz4: fixed zram with lz4 on big endian machines
    - debugfs: Make automount point inodes permanently empty
    - dmaengine: dw: fix master selection
    - dmaengine: hsu: correct use of channel status register
    - dmaengine: pxa_dma: fix the maximum requestor line
    - sched/cgroup: Fix/cleanup cgroup teardown/init
    - x86/mm/xen: Suppress hugetlbfs in PV guests
    - x86 EDAC, sb_edac.c: Repair damage introduced when "fixing" channel address
    - ALSA: hda - Don't trust the reported actual power state
    - ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m
    - ALSA: hda - Keep powering up ADCs on Cirrus codecs
    - ALSA: hda - add PCI ID for Intel Broxton-T
    - ALSA: pcxhr: Fix missing mutex unlock
    - ALSA: hda - Add dock support for ThinkPad X260
    - asm-generic/futex: Re-enable preemption in futex_atomic_cmpxchg_inatomic()
    - futex: Handle unlock_pi race gracefully
    - futex: Acknowledge a new waiter in counter before plist
    - drm/nouveau/core: use vzalloc for allocating ramht
    - drm/qxl: fix cursor position with non-zero hotspot
    - drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
    - Revert "drm/radeon: disable runtime pm on PX laptops without dGPU power
      control"
    - Revert "drm/amdgpu: disable runtime pm on PX laptops without dGPU power
      control"
    - cpufreq: intel_pstate: Fix processing for turbo activation ratio
    - iwlwifi: pcie: lower the debug level for RSA semaphore access
    - iwlwifi: mvm: fix memory leak in paging
    - crypto: ccp - Prevent information leakage on export
    - crypto: sha1-mb - use corrcet pointer while completing jobs
    - crypto: talitos - fix crash in talitos_cra_init()
    - crypto: talitos - fix AEAD tcrypt tests
    - powerpc: scan_features() updates incorrect bits for REAL_LE
    - powerpc: Update cpu_user_features2 in scan_features()
    - powerpc: Update TM user feature bits in scan_features()
    - nl80211: check netlink protocol in socket release notification
    - netlink: don't send NETLINK_URELEASE for unbound sockets
    - Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay
    - xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND"
    - pinctrl: mediatek: correct debounce time unit in mtk_gpio_set_debounce
    - pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs
    - iommu/amd: Fix checking of pci dma aliases
    - iommu/dma: Restore scatterlist offsets correctly
    - drm/amdgpu: when suspending, if uvd/vce was running. need to cancel delay
      work.
    - drm/amdgpu: use defines for CRTCs and AMFT blocks
    - drm/amdgpu: bump the afmt limit for CZ, ST, Polaris
    - amdgpu/uvd: add uvd fw version for amdgpu
    - drm/amdgpu: fix regression on CIK (v2)
    - drm/radeon: add a quirk for a XFX R9 270X
    - drm/radeon: fix initial connector audio value
    - drm/radeon: forbid mapping of userptr bo through radeon device file
    - drm/radeon: fix vertical bars appear on monitor (v2)
    - drm: Loongson-3 doesn't fully support wc memory
    - drm/nouveau/gr/gf100: select a stream master to fixup tfb offset queries
    - drm/dp/mst: Validate port in drm_dp_payload_send_msg()
    - drm/dp/mst: Restore primary hub guid on resume
    - drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()
    - pwm: brcmstb: Fix check of devm_ioremap_resource() return code
    - drm/i915: Cleanup phys status page too
    - drm/i915: skl_update_scaler() wants a rotation bitmask instead of bit number
    - drm/amdkfd: uninitialized variable in dbgdev_wave_control_set_registers()
    - drm/i915: Fixup the free space logic in ring_prepare
    - drm/i915: Use fw_domains_put_with_fifo() on HSW
    - perf intel-pt: Fix segfault tracing transactions
    - i2c: cpm: Fix build break due to incompatible pointer types
    - i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared
    - toshiba_acpi: Fix regression caused by hotkey enabling value
    - EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
    - ASoC: s3c24xx: use const snd_soc_component_driver pointer
    - ASoC: ssm4567: Reset device before regcache_sync()
    - ASoC: dapm: Make sure we have a card when displaying component widgets
    - ASoC: rt5640: Correct the digital interface data select
    - vb2-memops: Fix over allocation of frame vectors
    - v4l2-dv-timings.h: fix polarity for 4k formats
    - cxl: Keep IRQ mappings on context teardown
    - IB/mlx5: Expose correct max_sge_rd limit
    - IB/security: Restrict use of the write() interface
    - efi: Fix out-of-bounds read in variable_matches()
    - efi: Expose non-blocking set_variable() wrapper to efivars
    - x86/apic: Handle zero vector gracefully in clear_vector_irq()
    - workqueue: fix ghost PENDING flag while doing MQ IO
    - slub: clean up code for kmem cgroup support to kmem_cache_free_bulk
    - cgroup, cpuset: replace cpuset_post_attach_flush() with
      cgroup_subsys->post_attach callback
    - memcg: relocate charge moving from ->attach to ->post_attach
    - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check
    - numa: fix /proc/<pid>/numa_maps for THP
    - mm: vmscan: reclaim highmem zone if buffer_heads is over limit
    - mm/hwpoison: fix wrong num_poisoned_pages accounting
    - cgroup: make sure a parent css isn't freed before its children
    - videobuf2-core: Check user space planes array in dqbuf
    - videobuf2-v4l2: Verify planes array in buffer dequeueing
    - Revert "regulator: core: Fix nested locking of supplies"
    - regulator: core: fix regulator_lock_supply regression
    - regulator: core: Ensure we lock all regulators
    - regulator: core: Fix nested locking of supplies
    - locking/mcs: Fix mcs_spin_lock() ordering
    - spi/rockchip: Make sure spi clk is on in rockchip_spi_set_cs
    - irqchip/sunxi-nmi: Fix error check of of_io_request_and_map()
    - irqchip/mxs: Fix error check of of_io_request_and_map()
    - regulator: s5m8767: fix get_register() error handling
    - paride: make 'verbose' parameter an 'int' again
    - scsi_dh: force modular build if SCSI is a module
    - fbdev: da8xx-fb: fix videomodes of lcd panels
    - misc/bmp085: Enable building as a module
    - misc: mic/scif: fix wrap around tests
    - PM / OPP: Initialize u_volt_min/max to a valid value
    - PM / Domains: Fix removal of a subdomain
    - rtc: hym8563: fix invalid year calculation
    - rtc: vr41xx: Wire up alarm_irq_enable
    - rtc: ds1685: passing bogus values to irq_restore
    - rtc: rx8025: remove rv8803 id
    - rtc: max77686: Properly handle regmap_irq_get_virq() error code
    - drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
    - perf evlist: Reference count the cpu and thread maps at set_maps()
    - x86/mm/kmmio: Fix mmiotrace for hugepages
    - ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
    - serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock
    - mtd: spi-nor: remove micron_quad_enable()
    - mtd: brcmnand: Fix v7.1 register offsets
    - mtd: nand: Drop mtd.owner requirement in nand_scan
    - perf hists browser: Only offer symbol scripting when a symbol is under the
      cursor
    - perf tools: handle spaces in file names obtained from /proc/pid/maps
    - perf stat: Document --detailed option
    - ext4: fix races between page faults and hole punching
    - ext4: move unlocked dio protection from ext4_alloc_file_blocks()
    - ext4: fix races between buffered IO and collapse / insert range
    - ext4: fix races of writeback with punch hole and zero range
    - ARM: OMAP3: Add cpuidle parameters table for omap3430
    - ARM: prima2: always enable reset controller
    - ARM: EXYNOS: select THERMAL_OF
    - ARM: dts: armada-375: use armada-370-sata for SATA
    - ARM: dts: pxa: fix dma engine node to pxa3xx-nand
    - bus: imx-weim: Take the 'status' property value into account
    - jme: Do not enable NIC WoL functions on S0
    - jme: Fix device PM wakeup API usage
    - unbreak allmodconfig KCONFIG_ALLCONFIG=...
    - thermal: rockchip: fix a impossible condition caused by the warning
    - sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race
    - megaraid_sas: add missing curly braces in ioctl handler
    - stm class: Select CONFIG_SRCU
    - extcon: max77843: Use correct size for reading the interrupt register
    - Linux 4.4.9

* Stoney powerplay support (LP: #1578305)
    - amdgpu/powerplay: Add Stoney to list of early init cases

* CVE-2016-2117 (LP: #1561403)
    - atl2: Disable unimplemented scatter/gather feature

* CVE-2016-2187 (LP: #1575706)
    - Input: gtco - fix crash on detecting device without endpoints

* zfs posix default permissions lost on reboot or unmount (LP: #1574801)
    - Fix ZPL miswrite of default POSIX ACL

* WARNING: at /build/linux-aWXT0l/linux-4.4.0/drivers/pci/pci.c:1595
    [travis3EN] (LP: #1574697)
    - net/mlx4_core: Implement pci_resume callback
    - net/mlx4_core: Avoid repeated calls to pci enable/disable

* Add support to thinkpad keyboard backlight (LP: #1574498)
    - thinkpad_acpi: Add support for keyboard backlight

* Please enable kconfig X86_LEGACY_VM86 for i386 (LP: #1499089)
    - [Config] CONFIG_VM86=y, CONFIG_X86_LEGACY_VM86=y

* Miscellaneous Ubuntu changes
    - updateconfigs for Linux v4.4.9

-- Kamal Mostafa <kamal@canonical.com>  Mon, 16 May 2016 15:16:29 -0700

Changed in linux (Ubuntu Yakkety):
status:	Fix Committed → Fix Released

Revision history for this message

Andreas Fuchs (asf) wrote on 2016-05-23:

I tested this the xenial-proposed kernel (4.4.0-23) on a machine that was showing the exact symptoms described by the original reporter in Xenial. Here's the sequence of commands on the -proposed kernel:

root@bonnetmaker:~# uname -a
Linux bonnetmaker 4.4.0-23-lowlatency #41-Ubuntu SMP PREEMPT Mon May 16 23:55:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@bonnetmaker:~# zfs create lxd/test -o mountpoint=/tmp/test
root@bonnetmaker:~# zfs set acltype=posixacl lxd/test
root@bonnetmaker:~# cd /tmp/test/
root@bonnetmaker:/tmp/test# mkdir a
root@bonnetmaker:/tmp/test# setfacl -m default:user:100100:rwX a
root@bonnetmaker:/tmp/test# setfacl -m user:100100:rwX a
root@bonnetmaker:/tmp/test# getfacl -n a
# file: a
# owner: 0
# group: 0
user::rwx
user:100100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:100100:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

root@bonnetmaker:/tmp/test# lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /bin/bash
bash: /root/.bashrc: Permission denied
root@bonnetmaker:/tmp/test# ls -lh
total 512
drwxrwxr-x+ 2 nobody nogroup 2 May 23 16:24 a
root@bonnetmaker:/tmp/test# getfacl -n a
# file: a
# owner: 65534
# group: 65534
user::rwx
user:100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:100:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

root@bonnetmaker:/tmp/test#

Numbers check out - looks like it's working now!

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Richard Laager (rlaager) wrote on 2016-05-24:

This is fixed in zfs-linux in yakkety by way of having the 0.6.5.7 release.

Changed in zfs-linux (Ubuntu Yakkety):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-06-09:

This bug was fixed in the package linux - 4.4.0-24.43

---------------
linux (4.4.0-24.43) xenial; urgency=low

[ Kamal Mostafa ]

  * CVE-2016-1583 (LP: #1588871)
    - ecryptfs: fix handling of directory opening
    - SAUCE: proc: prevent stacking filesystems on top
    - SAUCE: ecryptfs: forbid opening files without mmap handler
    - SAUCE: sched: panic on corrupted stack end

* arm64: statically link rtc-efi (LP: #1583738)
- [Config] Link rtc-efi statically on arm64

-- Kamal Mostafa <email address hidden> Fri, 03 Jun 2016 10:02:16 -0700

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuzfs-linux package

ZFS is confused by user namespaces (uid/gid mapping) when used with acltype=posixac

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
zfs-linux package