Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2937171imm;
        Thu, 24 May 2018 19:26:17 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrEryrtiqy+eeKBxOLyz/SMP3WkdlUP0+3H15V923BNPoEvfUxLlh1zp7tOjko9dKrvJHW6
X-Received: by 2002:a63:7043:: with SMTP id a3-v6mr446324pgn.206.1527215177049;
        Thu, 24 May 2018 19:26:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527215177; cv=none;
        d=google.com; s=arc-20160816;
        b=eLndpAsNB5WcwwsLM9uAt+V9cExyNGbKCnsN6UKKoaAUKy6xGmAoynObxzOFKKBrVC
         f57bYdw6229HpoxyfdHSIhd68s4Om5LWhTXb3xX2PCf1K9e0THDwIzbCxkygU/+BFMqP
         dypkk/UUTHzSt5zlIsqaDW0b+kzdZWs8nD89j000iBMHna8ich+bOezwFq58R4Vk1y7k
         iw3DCWpM2aOPKgFYTLpmCCNcCxqWeczMsY5Uphaaqy3hr02FtThPJP5/q8vZW85ro9uY
         qT//jpacVJGc2zKD5uArQTrzREn0ygatVEmg1hmAiexuLlnryv4HKdI/LJZyyZUxrWWF
         h3Sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=CihjoV/bZKMJkFizLp1Uu4503pzmgmmgG0lszgtqZnM=;
        b=R/ocvNBDnc53pJT0l4AnDTAjnhQRrm5nPIPaFvytobofS0W6Cfpey59ljArCqhhXmq
         hjMWUGona30z9E0ca1gWX6AaHPPJft6lCQ/lGd5v0mEGWglQXMsewwXLxa0qdT6/FHqP
         yH8mvkgrld3GkGxgXi3d+R7Y4L/BB+sm+oP3OtEu5ziYMU6cQ6l4IZz8idLHXX1xqbVC
         F2r6+CpbAh1h5ylz6VlYeLyYzoniADDTwEx0ZXhBrPe2zEUs1k9H46o5amir0jjTv3MQ
         cmn1y0R1vm8E88r1ECv9kgNn1Mpt1ddEBec8o3JrutBgDTydCJRRdMfqVsgT//gVKAXI
         nLkg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 3-v6si23518076pla.38.2018.05.24.19.26.02;
        Thu, 24 May 2018 19:26:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1030294AbeEXP7u (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 11:59:50 -0400
Received: from mx2.mailbox.org ([80.241.60.215]:34124 "EHLO mx2.mailbox.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S968272AbeEXP7s (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 11:59:48 -0400
Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mx2.mailbox.org (Postfix) with ESMTPS id EBB1141840;
        Thu, 24 May 2018 17:59:46 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp2.mailbox.org ([80.241.60.241])
        by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030)
        with ESMTP id 4mtDCe9dRXLc; Thu, 24 May 2018 17:59:45 +0200 (CEST)
Date:   Thu, 24 May 2018 17:59:44 +0200
From:   Christian Brauner <christian@brauner.io>
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     Linux Containers <containers@lists.linux-foundation.org>,
        linux-fsdevel@vger.kernel.org,
        Seth Forshee <seth.forshee@canonical.com>,
        "Serge E. Hallyn" <serge@hallyn.com>, linux-kernel@vger.kernel.org
Subject: Re: [REVIEW][PATCH 6/6] fs: Allow CAP_SYS_ADMIN in s_user_ns to
 freeze and thaw filesystems
Message-ID: <20180524155943.GC19932@mailbox.org>
References: <87o9h6554f.fsf@xmission.com>
 <20180523232538.4880-6-ebiederm@xmission.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180523232538.4880-6-ebiederm@xmission.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 23, 2018 at 06:25:38PM -0500, Eric W. Biederman wrote:
> From: Seth Forshee <seth.forshee@canonical.com>
> 
> The user in control of a super block should be allowed to freeze
> and thaw it. Relax the restrictions on the FIFREEZE and FITHAW
> ioctls to require CAP_SYS_ADMIN in s_user_ns.

Acked-by: Christian Brauner <christian@brauner.io>

> 
> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
> ---
>  fs/ioctl.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ioctl.c b/fs/ioctl.c
> index 4823431d1c9d..b445b13fc59b 100644
> --- a/fs/ioctl.c
> +++ b/fs/ioctl.c
> @@ -549,7 +549,7 @@ static int ioctl_fsfreeze(struct file *filp)
>  {
>  	struct super_block *sb = file_inode(filp)->i_sb;
>  
> -	if (!capable(CAP_SYS_ADMIN))
> +	if (!ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  
>  	/* If filesystem doesn't support freeze feature, return. */
> @@ -566,7 +566,7 @@ static int ioctl_fsthaw(struct file *filp)
>  {
>  	struct super_block *sb = file_inode(filp)->i_sb;
>  
> -	if (!capable(CAP_SYS_ADMIN))
> +	if (!ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  
>  	/* Thaw */
> -- 
> 2.14.1
>