[PATCH][BIONIC] UBUNTU: SAUCE: Fix ZFS setgid (LP: #1753288)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH][BIONIC] UBUNTU: SAUCE: Fix ZFS setgid (LP: #1753288)

Colin King
From: Colin Ian King <[hidden email]>

  Pull in upstream commit 0e85048f53e4, namely:
  "Take user namespaces into account in policy checks"
  - Change file related checks to use user namespaces and make
    sure involved uids/gids are mappable in the current
    namespace.
  - Sync'd from zfsutils-linux 0.7.5-1ubuntu5

Signed-off-by: Colin Ian King <[hidden email]>
---
 zfs/META                                 |   2 +-
 zfs/Makefile.in                          |   1 +
 zfs/aclocal.m4                           |   1 +
 zfs/config/config.guess                  | 487 ++++++++++++++++---------------
 zfs/config/config.sub                    | 203 +++++--------
 zfs/config/kernel-userns-capabilities.m4 |  67 +++++
 zfs/config/kernel.m4                     |   1 +
 zfs/configure                            | 398 +++++++++++++++++++++++++
 zfs/include/Makefile.in                  |   1 +
 zfs/include/linux/Makefile.in            |   1 +
 zfs/include/sys/Makefile.in              |   1 +
 zfs/include/sys/crypto/Makefile.in       |   1 +
 zfs/include/sys/fm/Makefile.in           |   1 +
 zfs/include/sys/fm/fs/Makefile.in        |   1 +
 zfs/include/sys/fs/Makefile.in           |   1 +
 zfs/include/sys/sysevent/Makefile.in     |   1 +
 zfs/module/zfs/policy.c                  |  66 ++++-
 zfs/zfs_config.h.in                      |   9 +
 18 files changed, 875 insertions(+), 368 deletions(-)
 create mode 100644 zfs/config/kernel-userns-capabilities.m4

diff --git a/zfs/META b/zfs/META
index dfd548a..84c332a 100644
--- a/zfs/META
+++ b/zfs/META
@@ -2,7 +2,7 @@ Meta:         1
 Name:         zfs
 Branch:       1.0
 Version:      0.7.5
-Release:      1ubuntu1
+Release:      1ubuntu5
 Release-Tags: relext
 License:      CDDL
 Author:       OpenZFS on Linux
diff --git a/zfs/Makefile.in b/zfs/Makefile.in
index d3eb665..9dd300b 100644
--- a/zfs/Makefile.in
+++ b/zfs/Makefile.in
@@ -181,6 +181,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/aclocal.m4 b/zfs/aclocal.m4
index 2694a61..84d98a9 100644
--- a/zfs/aclocal.m4
+++ b/zfs/aclocal.m4
@@ -1288,6 +1288,7 @@ m4_include([config/kernel-super-userns.m4])
 m4_include([config/kernel-tmpfile.m4])
 m4_include([config/kernel-truncate-range.m4])
 m4_include([config/kernel-truncate-setsize.m4])
+m4_include([config/kernel-userns-capabilities.m4])
 m4_include([config/kernel-vfs-iterate.m4])
 m4_include([config/kernel-vfs-rw-iterate.m4])
 m4_include([config/kernel-vm_node_stat.m4])
diff --git a/zfs/config/config.guess b/zfs/config/config.guess
index 31e01ef..f50dcdb 100755
--- a/zfs/config/config.guess
+++ b/zfs/config/config.guess
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright 1992-2017 Free Software Foundation, Inc.
+#   Copyright 1992-2018 Free Software Foundation, Inc.
 
-timestamp='2017-11-07'
+timestamp='2018-02-24'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -50,7 +50,7 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright 1992-2017 Free Software Foundation, Inc.
+Copyright 1992-2018 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -107,9 +107,9 @@ trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
 dummy=$tmp/dummy ;
 tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
 case $CC_FOR_BUILD,$HOST_CC,$CC in
- ,,)    echo "int x;" > $dummy.c ;
+ ,,)    echo "int x;" > "$dummy.c" ;
  for c in cc gcc c89 c99 ; do
-  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+  if ($c -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then
      CC_FOR_BUILD="$c"; break ;
   fi ;
  done ;
@@ -132,14 +132,14 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
 UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
 UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 
-case "${UNAME_SYSTEM}" in
+case "$UNAME_SYSTEM" in
 Linux|GNU|GNU/*)
  # If the system lacks a compiler, then just pick glibc.
  # We could probably try harder.
  LIBC=gnu
 
- eval $set_cc_for_build
- cat <<-EOF > $dummy.c
+ eval "$set_cc_for_build"
+ cat <<-EOF > "$dummy.c"
  #include <features.h>
  #if defined(__UCLIBC__)
  LIBC=uclibc
@@ -149,13 +149,20 @@ Linux|GNU|GNU/*)
  LIBC=gnu
  #endif
  EOF
- eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
+ eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`"
+
+ # If ldd exists, use it to detect musl libc.
+ if command -v ldd >/dev/null && \
+ ldd --version 2>&1 | grep -q ^musl
+ then
+    LIBC=musl
+ fi
  ;;
 esac
 
 # Note: order is significant - the case branches are not exclusive.
 
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in
     *:NetBSD:*:*)
  # NetBSD (nbsd) targets should (where applicable) match one or
  # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
@@ -169,30 +176,30 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  # portion of the name.  We always set it to "unknown".
  sysctl="sysctl -n hw.machine_arch"
  UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \
-    /sbin/$sysctl 2>/dev/null || \
-    /usr/sbin/$sysctl 2>/dev/null || \
+    "/sbin/$sysctl" 2>/dev/null || \
+    "/usr/sbin/$sysctl" 2>/dev/null || \
     echo unknown)`
- case "${UNAME_MACHINE_ARCH}" in
+ case "$UNAME_MACHINE_ARCH" in
     armeb) machine=armeb-unknown ;;
     arm*) machine=arm-unknown ;;
     sh3el) machine=shl-unknown ;;
     sh3eb) machine=sh-unknown ;;
     sh5el) machine=sh5le-unknown ;;
     earmv*)
- arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'`
- endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'`
- machine=${arch}${endian}-unknown
+ arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'`
+ endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'`
+ machine="${arch}${endian}"-unknown
  ;;
-    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+    *) machine="$UNAME_MACHINE_ARCH"-unknown ;;
  esac
  # The Operating System including object format, if it has switched
  # to ELF recently (or will in the future) and ABI.
- case "${UNAME_MACHINE_ARCH}" in
+ case "$UNAME_MACHINE_ARCH" in
     earm*)
  os=netbsdelf
  ;;
     arm*|i386|m68k|ns32k|sh3*|sparc|vax)
- eval $set_cc_for_build
+ eval "$set_cc_for_build"
  if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
  | grep -q __ELF__
  then
@@ -208,10 +215,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  ;;
  esac
  # Determine ABI tags.
- case "${UNAME_MACHINE_ARCH}" in
+ case "$UNAME_MACHINE_ARCH" in
     earm*)
  expr='s/^earmv[0-9]/-eabi/;s/eb$//'
- abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"`
+ abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"`
  ;;
  esac
  # The OS release
@@ -219,52 +226,55 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  # thus, need a distinct triplet. However, they do not need
  # kernel version information, so it can be replaced with a
  # suitable tag, in the style of linux-gnu.
- case "${UNAME_VERSION}" in
+ case "$UNAME_VERSION" in
     Debian*)
  release='-gnu'
  ;;
     *)
- release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2`
+ release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2`
  ;;
  esac
  # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
  # contains redundant information, the shorter form:
  # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
- echo "${machine}-${os}${release}${abi}"
+ echo "$machine-${os}${release}${abi}"
  exit ;;
     *:Bitrig:*:*)
  UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
- echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
+ echo "$UNAME_MACHINE_ARCH"-unknown-bitrig"$UNAME_RELEASE"
  exit ;;
     *:OpenBSD:*:*)
  UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
- echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+ echo "$UNAME_MACHINE_ARCH"-unknown-openbsd"$UNAME_RELEASE"
  exit ;;
     *:LibertyBSD:*:*)
  UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
- echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
+ echo "$UNAME_MACHINE_ARCH"-unknown-libertybsd"$UNAME_RELEASE"
  exit ;;
     *:MidnightBSD:*:*)
- echo ${UNAME_MACHINE}-unknown-midnightbsd${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-unknown-midnightbsd"$UNAME_RELEASE"
  exit ;;
     *:ekkoBSD:*:*)
- echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-unknown-ekkobsd"$UNAME_RELEASE"
  exit ;;
     *:SolidBSD:*:*)
- echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-unknown-solidbsd"$UNAME_RELEASE"
  exit ;;
     macppc:MirBSD:*:*)
- echo powerpc-unknown-mirbsd${UNAME_RELEASE}
+ echo powerpc-unknown-mirbsd"$UNAME_RELEASE"
  exit ;;
     *:MirBSD:*:*)
- echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-unknown-mirbsd"$UNAME_RELEASE"
  exit ;;
     *:Sortix:*:*)
- echo ${UNAME_MACHINE}-unknown-sortix
+ echo "$UNAME_MACHINE"-unknown-sortix
  exit ;;
     *:Redox:*:*)
- echo ${UNAME_MACHINE}-unknown-redox
+ echo "$UNAME_MACHINE"-unknown-redox
  exit ;;
+    mips:OSF1:*.*)
+        echo mips-dec-osf1
+        exit ;;
     alpha:OSF1:*:*)
  case $UNAME_RELEASE in
  *4.0)
@@ -316,7 +326,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  # A Tn.n version is a released field test version.
  # A Xn.n version is an unreleased experimental baselevel.
  # 1.2 uses "1.2" for uname -r.
- echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
+ echo "$UNAME_MACHINE"-dec-osf"`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`"
  # Reset EXIT trap before exiting to avoid spurious non-zero exit code.
  exitcode=$?
  trap '' 0
@@ -325,10 +335,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  echo m68k-unknown-sysv4
  exit ;;
     *:[Aa]miga[Oo][Ss]:*:*)
- echo ${UNAME_MACHINE}-unknown-amigaos
+ echo "$UNAME_MACHINE"-unknown-amigaos
  exit ;;
     *:[Mm]orph[Oo][Ss]:*:*)
- echo ${UNAME_MACHINE}-unknown-morphos
+ echo "$UNAME_MACHINE"-unknown-morphos
  exit ;;
     *:OS/390:*:*)
  echo i370-ibm-openedition
@@ -340,7 +350,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  echo powerpc-ibm-os400
  exit ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
- echo arm-acorn-riscix${UNAME_RELEASE}
+ echo arm-acorn-riscix"$UNAME_RELEASE"
  exit ;;
     arm*:riscos:*:*|arm*:RISCOS:*:*)
  echo arm-unknown-riscos
@@ -367,19 +377,19 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     sparc) echo sparc-icl-nx7; exit ;;
  esac ;;
     s390x:SunOS:*:*)
- echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ echo "$UNAME_MACHINE"-ibm-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`"
  exit ;;
     sun4H:SunOS:5.*:*)
- echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ echo sparc-hal-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`"
  exit ;;
     sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
- echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ echo sparc-sun-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`"
  exit ;;
     i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*)
- echo i386-pc-auroraux${UNAME_RELEASE}
+ echo i386-pc-auroraux"$UNAME_RELEASE"
  exit ;;
     i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
- eval $set_cc_for_build
+ eval "$set_cc_for_build"
  SUN_ARCH=i386
  # If there is a compiler, see if it is configured for 64-bit objects.
  # Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
@@ -392,13 +402,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  SUN_ARCH=x86_64
     fi
  fi
- echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ echo "$SUN_ARCH"-pc-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`"
  exit ;;
     sun4*:SunOS:6*:*)
  # According to config.sub, this is the proper way to canonicalize
  # SunOS6.  Hard to guess exactly what SunOS6 will be like, but
  # it's likely to be more like Solaris than SunOS4.
- echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ echo sparc-sun-solaris3"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`"
  exit ;;
     sun4*:SunOS:*:*)
  case "`/usr/bin/arch -k`" in
@@ -407,25 +417,25 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
  ;;
  esac
  # Japanese Language versions have a version number like `4.1.3-JL'.
- echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+ echo sparc-sun-sunos"`echo "$UNAME_RELEASE"|sed -e 's/-/_/'`"
  exit ;;
     sun3*:SunOS:*:*)
- echo m68k-sun-sunos${UNAME_RELEASE}
+ echo m68k-sun-sunos"$UNAME_RELEASE"
  exit ;;
     sun*:*:4.2BSD:*)
  UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
- test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
+ test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3
  case "`/bin/arch`" in
     sun3)
- echo m68k-sun-sunos${UNAME_RELEASE}
+ echo m68k-sun-sunos"$UNAME_RELEASE"
  ;;
     sun4)
- echo sparc-sun-sunos${UNAME_RELEASE}
+ echo sparc-sun-sunos"$UNAME_RELEASE"
  ;;
  esac
  exit ;;
     aushp:SunOS:*:*)
- echo sparc-auspex-sunos${UNAME_RELEASE}
+ echo sparc-auspex-sunos"$UNAME_RELEASE"
  exit ;;
     # The situation for MiNT is a little confusing.  The machine name
     # can be virtually everything (everything which is not
@@ -436,44 +446,44 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     # MiNT.  But MiNT is downward compatible to TOS, so this should
     # be no problem.
     atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
- echo m68k-atari-mint${UNAME_RELEASE}
+ echo m68k-atari-mint"$UNAME_RELEASE"
  exit ;;
     atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
- echo m68k-atari-mint${UNAME_RELEASE}
+ echo m68k-atari-mint"$UNAME_RELEASE"
  exit ;;
     *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
- echo m68k-atari-mint${UNAME_RELEASE}
+ echo m68k-atari-mint"$UNAME_RELEASE"
  exit ;;
     milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
- echo m68k-milan-mint${UNAME_RELEASE}
+ echo m68k-milan-mint"$UNAME_RELEASE"
  exit ;;
     hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
- echo m68k-hades-mint${UNAME_RELEASE}
+ echo m68k-hades-mint"$UNAME_RELEASE"
  exit ;;
     *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
- echo m68k-unknown-mint${UNAME_RELEASE}
+ echo m68k-unknown-mint"$UNAME_RELEASE"
  exit ;;
     m68k:machten:*:*)
- echo m68k-apple-machten${UNAME_RELEASE}
+ echo m68k-apple-machten"$UNAME_RELEASE"
  exit ;;
     powerpc:machten:*:*)
- echo powerpc-apple-machten${UNAME_RELEASE}
+ echo powerpc-apple-machten"$UNAME_RELEASE"
  exit ;;
     RISC*:Mach:*:*)
  echo mips-dec-mach_bsd4.3
  exit ;;
     RISC*:ULTRIX:*:*)
- echo mips-dec-ultrix${UNAME_RELEASE}
+ echo mips-dec-ultrix"$UNAME_RELEASE"
  exit ;;
     VAX*:ULTRIX*:*:*)
- echo vax-dec-ultrix${UNAME_RELEASE}
+ echo vax-dec-ultrix"$UNAME_RELEASE"
  exit ;;
     2020:CLIX:*:* | 2430:CLIX:*:*)
- echo clipper-intergraph-clix${UNAME_RELEASE}
+ echo clipper-intergraph-clix"$UNAME_RELEASE"
  exit ;;
     mips:*:*:UMIPS | mips:*:*:RISCos)
- eval $set_cc_for_build
- sed 's/^ //' << EOF >$dummy.c
+ eval "$set_cc_for_build"
+ sed 's/^ //' << EOF > "$dummy.c"
 #ifdef __cplusplus
 #include <stdio.h>  /* for printf() prototype */
  int main (int argc, char *argv[]) {
@@ -494,11 +504,11 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
   exit (-1);
  }
 EOF
- $CC_FOR_BUILD -o $dummy $dummy.c &&
-  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
-  SYSTEM_NAME=`$dummy $dummyarg` &&
+ $CC_FOR_BUILD -o "$dummy" "$dummy.c" &&
+  dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+  SYSTEM_NAME=`"$dummy" "$dummyarg"` &&
     { echo "$SYSTEM_NAME"; exit; }
- echo mips-mips-riscos${UNAME_RELEASE}
+ echo mips-mips-riscos"$UNAME_RELEASE"
  exit ;;
     Motorola:PowerMAX_OS:*:*)
  echo powerpc-motorola-powermax
@@ -524,17 +534,17 @@ EOF
     AViiON:dgux:*:*)
  # DG/UX returns AViiON for all architectures
  UNAME_PROCESSOR=`/usr/bin/uname -p`
- if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+ if [ "$UNAME_PROCESSOR" = mc88100 ] || [ "$UNAME_PROCESSOR" = mc88110 ]
  then
-    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
-       [ ${TARGET_BINARY_INTERFACE}x = x ]
+    if [ "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx ] || \
+       [ "$TARGET_BINARY_INTERFACE"x = x ]
     then
- echo m88k-dg-dgux${UNAME_RELEASE}
+ echo m88k-dg-dgux"$UNAME_RELEASE"
     else
- echo m88k-dg-dguxbcs${UNAME_RELEASE}
+ echo m88k-dg-dguxbcs"$UNAME_RELEASE"
     fi
  else
-    echo i586-dg-dgux${UNAME_RELEASE}
+    echo i586-dg-dgux"$UNAME_RELEASE"
  fi
  exit ;;
     M88*:DolphinOS:*:*) # DolphinOS (SVR3)
@@ -551,7 +561,7 @@ EOF
  echo m68k-tektronix-bsd
  exit ;;
     *:IRIX*:*:*)
- echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+ echo mips-sgi-irix"`echo "$UNAME_RELEASE"|sed -e 's/-/_/g'`"
  exit ;;
     ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
  echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
@@ -563,14 +573,14 @@ EOF
  if [ -x /usr/bin/oslevel ] ; then
  IBM_REV=`/usr/bin/oslevel`
  else
- IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+ IBM_REV="$UNAME_VERSION.$UNAME_RELEASE"
  fi
- echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+ echo "$UNAME_MACHINE"-ibm-aix"$IBM_REV"
  exit ;;
     *:AIX:2:3)
  if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
- eval $set_cc_for_build
- sed 's/^ //' << EOF >$dummy.c
+ eval "$set_cc_for_build"
+ sed 's/^ //' << EOF > "$dummy.c"
  #include <sys/systemcfg.h>
 
  main()
@@ -581,7 +591,7 @@ EOF
  exit(0);
  }
 EOF
- if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+ if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"`
  then
  echo "$SYSTEM_NAME"
  else
@@ -595,7 +605,7 @@ EOF
  exit ;;
     *:AIX:*:[4567])
  IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
- if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+ if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then
  IBM_ARCH=rs6000
  else
  IBM_ARCH=powerpc
@@ -604,9 +614,9 @@ EOF
  IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc |
    awk -F: '{ print $3 }' | sed s/[0-9]*$/0/`
  else
- IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+ IBM_REV="$UNAME_VERSION.$UNAME_RELEASE"
  fi
- echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+ echo "$IBM_ARCH"-ibm-aix"$IBM_REV"
  exit ;;
     *:AIX:*:*)
  echo rs6000-ibm-aix
@@ -615,7 +625,7 @@ EOF
  echo romp-ibm-bsd4.4
  exit ;;
     ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
- echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+ echo romp-ibm-bsd"$UNAME_RELEASE"   # 4.3 with uname added to
  exit ;;                             # report: romp-ibm BSD 4.3
     *:BOSX:*:*)
  echo rs6000-bull-bosx
@@ -630,28 +640,28 @@ EOF
  echo m68k-hp-bsd4.4
  exit ;;
     9000/[34678]??:HP-UX:*:*)
- HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
- case "${UNAME_MACHINE}" in
+ HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'`
+ case "$UNAME_MACHINE" in
     9000/31?)            HP_ARCH=m68000 ;;
     9000/[34]??)         HP_ARCH=m68k ;;
     9000/[678][0-9][0-9])
  if [ -x /usr/bin/getconf ]; then
     sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
     sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-    case "${sc_cpu_version}" in
+    case "$sc_cpu_version" in
       523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
       528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
       532)                      # CPU_PA_RISC2_0
- case "${sc_kernel_bits}" in
+ case "$sc_kernel_bits" in
   32) HP_ARCH=hppa2.0n ;;
   64) HP_ARCH=hppa2.0w ;;
   '') HP_ARCH=hppa2.0 ;;   # HP-UX 10.20
  esac ;;
     esac
  fi
- if [ "${HP_ARCH}" = "" ]; then
-    eval $set_cc_for_build
-    sed 's/^ //' << EOF >$dummy.c
+ if [ "$HP_ARCH" = "" ]; then
+    eval "$set_cc_for_build"
+    sed 's/^ //' << EOF > "$dummy.c"
 
  #define _HPUX_SOURCE
  #include <stdlib.h>
@@ -684,13 +694,13 @@ EOF
     exit (0);
  }
 EOF
-    (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+    (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"`
     test -z "$HP_ARCH" && HP_ARCH=hppa
  fi ;;
  esac
- if [ ${HP_ARCH} = hppa2.0w ]
+ if [ "$HP_ARCH" = hppa2.0w ]
  then
-    eval $set_cc_for_build
+    eval "$set_cc_for_build"
 
     # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
     # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
@@ -709,15 +719,15 @@ EOF
  HP_ARCH=hppa64
     fi
  fi
- echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+ echo "$HP_ARCH"-hp-hpux"$HPUX_REV"
  exit ;;
     ia64:HP-UX:*:*)
- HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
- echo ia64-hp-hpux${HPUX_REV}
+ HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'`
+ echo ia64-hp-hpux"$HPUX_REV"
  exit ;;
     3050*:HI-UX:*:*)
- eval $set_cc_for_build
- sed 's/^ //' << EOF >$dummy.c
+ eval "$set_cc_for_build"
+ sed 's/^ //' << EOF > "$dummy.c"
  #include <unistd.h>
  int
  main ()
@@ -742,7 +752,7 @@ EOF
   exit (0);
  }
 EOF
- $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+ $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` &&
  { echo "$SYSTEM_NAME"; exit; }
  echo unknown-hitachi-hiuxwe2
  exit ;;
@@ -763,9 +773,9 @@ EOF
  exit ;;
     i*86:OSF1:*:*)
  if [ -x /usr/sbin/sysversion ] ; then
-    echo ${UNAME_MACHINE}-unknown-osf1mk
+    echo "$UNAME_MACHINE"-unknown-osf1mk
  else
-    echo ${UNAME_MACHINE}-unknown-osf1
+    echo "$UNAME_MACHINE"-unknown-osf1
  fi
  exit ;;
     parisc*:Lites*:*:*)
@@ -790,109 +800,109 @@ EOF
  echo c4-convex-bsd
  exit ;;
     CRAY*Y-MP:*:*:*)
- echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ echo ymp-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'
  exit ;;
     CRAY*[A-Z]90:*:*:*)
- echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+ echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \
  | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
       -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
       -e 's/\.[^.]*$/.X/'
  exit ;;
     CRAY*TS:*:*:*)
- echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ echo t90-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'
  exit ;;
     CRAY*T3E:*:*:*)
- echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ echo alphaev5-cray-unicosmk"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'
  exit ;;
     CRAY*SV1:*:*:*)
- echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ echo sv1-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'
  exit ;;
     *:UNICOS/mp:*:*)
- echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ echo craynv-cray-unicosmp"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'
  exit ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
  FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
  FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
- FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+ FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'`
  echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
  exit ;;
     5000:UNIX_System_V:4.*:*)
  FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
- FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
+ FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
  echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
  exit ;;
     i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
- echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-pc-bsdi"$UNAME_RELEASE"
  exit ;;
     sparc*:BSD/OS:*:*)
- echo sparc-unknown-bsdi${UNAME_RELEASE}
+ echo sparc-unknown-bsdi"$UNAME_RELEASE"
  exit ;;
     *:BSD/OS:*:*)
- echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-unknown-bsdi"$UNAME_RELEASE"
  exit ;;
     *:FreeBSD:*:*)
  UNAME_PROCESSOR=`/usr/bin/uname -p`
- case ${UNAME_PROCESSOR} in
+ case "$UNAME_PROCESSOR" in
     amd64)
  UNAME_PROCESSOR=x86_64 ;;
     i386)
  UNAME_PROCESSOR=i586 ;;
  esac
- echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+ echo "$UNAME_PROCESSOR"-unknown-freebsd"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`"
  exit ;;
     i*:CYGWIN*:*)
- echo ${UNAME_MACHINE}-pc-cygwin
+ echo "$UNAME_MACHINE"-pc-cygwin
  exit ;;
     *:MINGW64*:*)
- echo ${UNAME_MACHINE}-pc-mingw64
+ echo "$UNAME_MACHINE"-pc-mingw64
  exit ;;
     *:MINGW*:*)
- echo ${UNAME_MACHINE}-pc-mingw32
+ echo "$UNAME_MACHINE"-pc-mingw32
  exit ;;
     *:MSYS*:*)
- echo ${UNAME_MACHINE}-pc-msys
+ echo "$UNAME_MACHINE"-pc-msys
  exit ;;
     i*:PW*:*)
- echo ${UNAME_MACHINE}-pc-pw32
+ echo "$UNAME_MACHINE"-pc-pw32
  exit ;;
     *:Interix*:*)
- case ${UNAME_MACHINE} in
+ case "$UNAME_MACHINE" in
     x86)
- echo i586-pc-interix${UNAME_RELEASE}
+ echo i586-pc-interix"$UNAME_RELEASE"
  exit ;;
     authenticamd | genuineintel | EM64T)
- echo x86_64-unknown-interix${UNAME_RELEASE}
+ echo x86_64-unknown-interix"$UNAME_RELEASE"
  exit ;;
     IA64)
- echo ia64-unknown-interix${UNAME_RELEASE}
+ echo ia64-unknown-interix"$UNAME_RELEASE"
  exit ;;
  esac ;;
     i*:UWIN*:*)
- echo ${UNAME_MACHINE}-pc-uwin
+ echo "$UNAME_MACHINE"-pc-uwin
  exit ;;
     amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
  echo x86_64-unknown-cygwin
  exit ;;
     prep*:SunOS:5.*:*)
- echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+ echo powerpcle-unknown-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`"
  exit ;;
     *:GNU:*:*)
  # the GNU system
- echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+ echo "`echo "$UNAME_MACHINE"|sed -e 's,[-/].*$,,'`-unknown-$LIBC`echo "$UNAME_RELEASE"|sed -e 's,/.*$,,'`"
  exit ;;
     *:GNU/*:*:*)
  # other systems with GNU libc and userland
- echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
+ echo "$UNAME_MACHINE-unknown-`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`-$LIBC"
  exit ;;
     i*86:Minix:*:*)
- echo ${UNAME_MACHINE}-pc-minix
+ echo "$UNAME_MACHINE"-pc-minix
  exit ;;
     aarch64:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     aarch64_be:Linux:*:*)
  UNAME_MACHINE=aarch64_be
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     alpha:Linux:*:*)
  case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
@@ -906,63 +916,63 @@ EOF
  esac
  objdump --private-headers /bin/sh | grep -q ld.so.1
  if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     arc:Linux:*:* | arceb:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     arm*:Linux:*:*)
- eval $set_cc_for_build
+ eval "$set_cc_for_build"
  if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
     | grep -q __ARM_EABI__
  then
-    echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+    echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  else
     if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
  | grep -q __ARM_PCS_VFP
     then
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabi
     else
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabihf
     fi
  fi
  exit ;;
     avr32*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     cris:Linux:*:*)
- echo ${UNAME_MACHINE}-axis-linux-${LIBC}
+ echo "$UNAME_MACHINE"-axis-linux-"$LIBC"
  exit ;;
     crisv32:Linux:*:*)
- echo ${UNAME_MACHINE}-axis-linux-${LIBC}
+ echo "$UNAME_MACHINE"-axis-linux-"$LIBC"
  exit ;;
     e2k:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     frv:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     hexagon:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     i*86:Linux:*:*)
- echo ${UNAME_MACHINE}-pc-linux-${LIBC}
+ echo "$UNAME_MACHINE"-pc-linux-"$LIBC"
  exit ;;
     ia64:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     k1om:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     m32r*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     m68*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     mips:Linux:*:* | mips64:Linux:*:*)
- eval $set_cc_for_build
- sed 's/^ //' << EOF >$dummy.c
+ eval "$set_cc_for_build"
+ sed 's/^ //' << EOF > "$dummy.c"
  #undef CPU
  #undef ${UNAME_MACHINE}
  #undef ${UNAME_MACHINE}el
@@ -976,70 +986,74 @@ EOF
  #endif
  #endif
 EOF
- eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
- test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
+ eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU'`"
+ test "x$CPU" != x && { echo "$CPU-unknown-linux-$LIBC"; exit; }
  ;;
     mips64el:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     openrisc*:Linux:*:*)
- echo or1k-unknown-linux-${LIBC}
+ echo or1k-unknown-linux-"$LIBC"
  exit ;;
     or32:Linux:*:* | or1k*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     padre:Linux:*:*)
- echo sparc-unknown-linux-${LIBC}
+ echo sparc-unknown-linux-"$LIBC"
  exit ;;
     parisc64:Linux:*:* | hppa64:Linux:*:*)
- echo hppa64-unknown-linux-${LIBC}
+ echo hppa64-unknown-linux-"$LIBC"
  exit ;;
     parisc:Linux:*:* | hppa:Linux:*:*)
  # Look for CPU level
  case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-  PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
-  PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
-  *)    echo hppa-unknown-linux-${LIBC} ;;
+  PA7*) echo hppa1.1-unknown-linux-"$LIBC" ;;
+  PA8*) echo hppa2.0-unknown-linux-"$LIBC" ;;
+  *)    echo hppa-unknown-linux-"$LIBC" ;;
  esac
  exit ;;
     ppc64:Linux:*:*)
- echo powerpc64-unknown-linux-${LIBC}
+ echo powerpc64-unknown-linux-"$LIBC"
  exit ;;
     ppc:Linux:*:*)
- echo powerpc-unknown-linux-${LIBC}
+ echo powerpc-unknown-linux-"$LIBC"
  exit ;;
     ppc64le:Linux:*:*)
- echo powerpc64le-unknown-linux-${LIBC}
+ echo powerpc64le-unknown-linux-"$LIBC"
  exit ;;
     ppcle:Linux:*:*)
- echo powerpcle-unknown-linux-${LIBC}
+ echo powerpcle-unknown-linux-"$LIBC"
  exit ;;
     riscv32:Linux:*:* | riscv64:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     s390:Linux:*:* | s390x:Linux:*:*)
- echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
+ echo "$UNAME_MACHINE"-ibm-linux-"$LIBC"
  exit ;;
     sh64*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     sh*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     sparc:Linux:*:* | sparc64:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     tile*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     vax:Linux:*:*)
- echo ${UNAME_MACHINE}-dec-linux-${LIBC}
+ echo "$UNAME_MACHINE"-dec-linux-"$LIBC"
  exit ;;
     x86_64:Linux:*:*)
- echo ${UNAME_MACHINE}-pc-linux-${LIBC}
+ if objdump -f /bin/sh | grep -q elf32-x86-64; then
+    echo "$UNAME_MACHINE"-pc-linux-"$LIBC"x32
+ else
+    echo "$UNAME_MACHINE"-pc-linux-"$LIBC"
+ fi
  exit ;;
     xtensa*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
  exit ;;
     i*86:DYNIX/ptx:4*:*)
  # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -1053,34 +1067,34 @@ EOF
  # I am not positive that other SVR4 systems won't match this,
  # I just have to hope.  -- rms.
  # Use sysv4.2uw... so that sysv4* matches it.
- echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+ echo "$UNAME_MACHINE"-pc-sysv4.2uw"$UNAME_VERSION"
  exit ;;
     i*86:OS/2:*:*)
  # If we were able to find `uname', then EMX Unix compatibility
  # is probably installed.
- echo ${UNAME_MACHINE}-pc-os2-emx
+ echo "$UNAME_MACHINE"-pc-os2-emx
  exit ;;
     i*86:XTS-300:*:STOP)
- echo ${UNAME_MACHINE}-unknown-stop
+ echo "$UNAME_MACHINE"-unknown-stop
  exit ;;
     i*86:atheos:*:*)
- echo ${UNAME_MACHINE}-unknown-atheos
+ echo "$UNAME_MACHINE"-unknown-atheos
  exit ;;
     i*86:syllable:*:*)
- echo ${UNAME_MACHINE}-pc-syllable
+ echo "$UNAME_MACHINE"-pc-syllable
  exit ;;
     i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*)
- echo i386-unknown-lynxos${UNAME_RELEASE}
+ echo i386-unknown-lynxos"$UNAME_RELEASE"
  exit ;;
     i*86:*DOS:*:*)
- echo ${UNAME_MACHINE}-pc-msdosdjgpp
+ echo "$UNAME_MACHINE"-pc-msdosdjgpp
  exit ;;
     i*86:*:4.*:*)
- UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+ UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'`
  if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
- echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+ echo "$UNAME_MACHINE"-univel-sysv"$UNAME_REL"
  else
- echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+ echo "$UNAME_MACHINE"-pc-sysv"$UNAME_REL"
  fi
  exit ;;
     i*86:*:5:[678]*)
@@ -1090,12 +1104,12 @@ EOF
     *Pentium)     UNAME_MACHINE=i586 ;;
     *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
  esac
- echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+ echo "$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}{$UNAME_VERSION}"
  exit ;;
     i*86:*:3.2:*)
  if test -f /usr/options/cb.name; then
  UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
- echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+ echo "$UNAME_MACHINE"-pc-isc"$UNAME_REL"
  elif /bin/uname -X 2>/dev/null >/dev/null ; then
  UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
  (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
@@ -1105,9 +1119,9 @@ EOF
  && UNAME_MACHINE=i686
  (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
  && UNAME_MACHINE=i686
- echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+ echo "$UNAME_MACHINE"-pc-sco"$UNAME_REL"
  else
- echo ${UNAME_MACHINE}-pc-sysv32
+ echo "$UNAME_MACHINE"-pc-sysv32
  fi
  exit ;;
     pc:*:*:*)
@@ -1127,9 +1141,9 @@ EOF
  exit ;;
     i860:*:4.*:*) # i860-SVR4
  if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
-  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+  echo i860-stardent-sysv"$UNAME_RELEASE" # Stardent Vistra i860-SVR4
  else # Add other i860-SVR4 vendors below as they are discovered.
-  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+  echo i860-unknown-sysv"$UNAME_RELEASE"  # Unknown i860-SVR4
  fi
  exit ;;
     mini*:CTIX:SYS*5:*)
@@ -1149,9 +1163,9 @@ EOF
  test -r /etc/.relid \
  && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
  /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+  && { echo i486-ncr-sysv4.3"$OS_REL"; exit; }
  /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+  && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;;
     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
  /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
   && { echo i486-ncr-sysv4; exit; } ;;
@@ -1160,28 +1174,28 @@ EOF
  test -r /etc/.relid \
     && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
  /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-    && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+    && { echo i486-ncr-sysv4.3"$OS_REL"; exit; }
  /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-    && { echo i586-ncr-sysv4.3${OS_REL}; exit; }
+    && { echo i586-ncr-sysv4.3"$OS_REL"; exit; }
  /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \
-    && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;;
     m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
- echo m68k-unknown-lynxos${UNAME_RELEASE}
+ echo m68k-unknown-lynxos"$UNAME_RELEASE"
  exit ;;
     mc68030:UNIX_System_V:4.*:*)
  echo m68k-atari-sysv4
  exit ;;
     TSUNAMI:LynxOS:2.*:*)
- echo sparc-unknown-lynxos${UNAME_RELEASE}
+ echo sparc-unknown-lynxos"$UNAME_RELEASE"
  exit ;;
     rs6000:LynxOS:2.*:*)
- echo rs6000-unknown-lynxos${UNAME_RELEASE}
+ echo rs6000-unknown-lynxos"$UNAME_RELEASE"
  exit ;;
     PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*)
- echo powerpc-unknown-lynxos${UNAME_RELEASE}
+ echo powerpc-unknown-lynxos"$UNAME_RELEASE"
  exit ;;
     SM[BE]S:UNIX_SV:*:*)
- echo mips-dde-sysv${UNAME_RELEASE}
+ echo mips-dde-sysv"$UNAME_RELEASE"
  exit ;;
     RM*:ReliantUNIX-*:*:*)
  echo mips-sni-sysv4
@@ -1192,7 +1206,7 @@ EOF
     *:SINIX-*:*:*)
  if uname -p 2>/dev/null >/dev/null ; then
  UNAME_MACHINE=`(uname -p) 2>/dev/null`
- echo ${UNAME_MACHINE}-sni-sysv4
+ echo "$UNAME_MACHINE"-sni-sysv4
  else
  echo ns32k-sni-sysv
  fi
@@ -1212,23 +1226,23 @@ EOF
  exit ;;
     i*86:VOS:*:*)
  # From [hidden email].
- echo ${UNAME_MACHINE}-stratus-vos
+ echo "$UNAME_MACHINE"-stratus-vos
  exit ;;
     *:VOS:*:*)
  # From [hidden email].
  echo hppa1.1-stratus-vos
  exit ;;
     mc68*:A/UX:*:*)
- echo m68k-apple-aux${UNAME_RELEASE}
+ echo m68k-apple-aux"$UNAME_RELEASE"
  exit ;;
     news*:NEWS-OS:6*:*)
  echo mips-sony-newsos6
  exit ;;
     R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
  if [ -d /usr/nec ]; then
- echo mips-nec-sysv${UNAME_RELEASE}
+ echo mips-nec-sysv"$UNAME_RELEASE"
  else
- echo mips-unknown-sysv${UNAME_RELEASE}
+ echo mips-unknown-sysv"$UNAME_RELEASE"
  fi
  exit ;;
     BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
@@ -1247,39 +1261,39 @@ EOF
  echo x86_64-unknown-haiku
  exit ;;
     SX-4:SUPER-UX:*:*)
- echo sx4-nec-superux${UNAME_RELEASE}
+ echo sx4-nec-superux"$UNAME_RELEASE"
  exit ;;
     SX-5:SUPER-UX:*:*)
- echo sx5-nec-superux${UNAME_RELEASE}
+ echo sx5-nec-superux"$UNAME_RELEASE"
  exit ;;
     SX-6:SUPER-UX:*:*)
- echo sx6-nec-superux${UNAME_RELEASE}
+ echo sx6-nec-superux"$UNAME_RELEASE"
  exit ;;
     SX-7:SUPER-UX:*:*)
- echo sx7-nec-superux${UNAME_RELEASE}
+ echo sx7-nec-superux"$UNAME_RELEASE"
  exit ;;
     SX-8:SUPER-UX:*:*)
- echo sx8-nec-superux${UNAME_RELEASE}
+ echo sx8-nec-superux"$UNAME_RELEASE"
  exit ;;
     SX-8R:SUPER-UX:*:*)
- echo sx8r-nec-superux${UNAME_RELEASE}
+ echo sx8r-nec-superux"$UNAME_RELEASE"
  exit ;;
     SX-ACE:SUPER-UX:*:*)
- echo sxace-nec-superux${UNAME_RELEASE}
+ echo sxace-nec-superux"$UNAME_RELEASE"
  exit ;;
     Power*:Rhapsody:*:*)
- echo powerpc-apple-rhapsody${UNAME_RELEASE}
+ echo powerpc-apple-rhapsody"$UNAME_RELEASE"
  exit ;;
     *:Rhapsody:*:*)
- echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-apple-rhapsody"$UNAME_RELEASE"
  exit ;;
     *:Darwin:*:*)
  UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
- eval $set_cc_for_build
+ eval "$set_cc_for_build"
  if test "$UNAME_PROCESSOR" = unknown ; then
     UNAME_PROCESSOR=powerpc
  fi
- if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
+ if test "`echo "$UNAME_RELEASE" | sed -e 's/\..*//'`" -le 10 ; then
     if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
  if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
        (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
@@ -1307,7 +1321,7 @@ EOF
     # that Apple uses in portable devices.
     UNAME_PROCESSOR=x86_64
  fi
- echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+ echo "$UNAME_PROCESSOR"-apple-darwin"$UNAME_RELEASE"
  exit ;;
     *:procnto*:*:* | *:QNX:[0123456789]*:*)
  UNAME_PROCESSOR=`uname -p`
@@ -1315,22 +1329,25 @@ EOF
  UNAME_PROCESSOR=i386
  UNAME_MACHINE=pc
  fi
- echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+ echo "$UNAME_PROCESSOR"-"$UNAME_MACHINE"-nto-qnx"$UNAME_RELEASE"
  exit ;;
     *:QNX:*:4*)
  echo i386-pc-qnx
  exit ;;
     NEO-*:NONSTOP_KERNEL:*:*)
- echo neo-tandem-nsk${UNAME_RELEASE}
+ echo neo-tandem-nsk"$UNAME_RELEASE"
  exit ;;
     NSE-*:NONSTOP_KERNEL:*:*)
- echo nse-tandem-nsk${UNAME_RELEASE}
+ echo nse-tandem-nsk"$UNAME_RELEASE"
  exit ;;
     NSR-*:NONSTOP_KERNEL:*:*)
- echo nsr-tandem-nsk${UNAME_RELEASE}
+ echo nsr-tandem-nsk"$UNAME_RELEASE"
+ exit ;;
+    NSV-*:NONSTOP_KERNEL:*:*)
+ echo nsv-tandem-nsk"$UNAME_RELEASE"
  exit ;;
     NSX-*:NONSTOP_KERNEL:*:*)
- echo nsx-tandem-nsk${UNAME_RELEASE}
+ echo nsx-tandem-nsk"$UNAME_RELEASE"
  exit ;;
     *:NonStop-UX:*:*)
  echo mips-compaq-nonstopux
@@ -1339,7 +1356,7 @@ EOF
  echo bs2000-siemens-sysv
  exit ;;
     DS/*:UNIX_System_V:*:*)
- echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+ echo "$UNAME_MACHINE"-"$UNAME_SYSTEM"-"$UNAME_RELEASE"
  exit ;;
     *:Plan9:*:*)
  # "uname -m" is not consistent, so use $cputype instead. 386
@@ -1350,7 +1367,7 @@ EOF
  else
     UNAME_MACHINE="$cputype"
  fi
- echo ${UNAME_MACHINE}-unknown-plan9
+ echo "$UNAME_MACHINE"-unknown-plan9
  exit ;;
     *:TOPS-10:*:*)
  echo pdp10-unknown-tops10
@@ -1371,14 +1388,14 @@ EOF
  echo pdp10-unknown-its
  exit ;;
     SEI:*:*:SEIUX)
- echo mips-sei-seiux${UNAME_RELEASE}
+ echo mips-sei-seiux"$UNAME_RELEASE"
  exit ;;
     *:DragonFly:*:*)
- echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+ echo "$UNAME_MACHINE"-unknown-dragonfly"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`"
  exit ;;
     *:*VMS:*:*)
  UNAME_MACHINE=`(uname -p) 2>/dev/null`
- case "${UNAME_MACHINE}" in
+ case "$UNAME_MACHINE" in
     A*) echo alpha-dec-vms ; exit ;;
     I*) echo ia64-dec-vms ; exit ;;
     V*) echo vax-dec-vms ; exit ;;
@@ -1387,16 +1404,16 @@ EOF
  echo i386-pc-xenix
  exit ;;
     i*86:skyos:*:*)
- echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
+ echo "$UNAME_MACHINE"-pc-skyos"`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'`"
  exit ;;
     i*86:rdos:*:*)
- echo ${UNAME_MACHINE}-pc-rdos
+ echo "$UNAME_MACHINE"-pc-rdos
  exit ;;
     i*86:AROS:*:*)
- echo ${UNAME_MACHINE}-pc-aros
+ echo "$UNAME_MACHINE"-pc-aros
  exit ;;
     x86_64:VMkernel:*:*)
- echo ${UNAME_MACHINE}-unknown-esx
+ echo "$UNAME_MACHINE"-unknown-esx
  exit ;;
     amd64:Isilon\ OneFS:*:*)
  echo x86_64-unknown-onefs
@@ -1405,7 +1422,7 @@ esac
 
 echo "$0: unable to guess system type" >&2
 
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}" in
+case "$UNAME_MACHINE:$UNAME_SYSTEM" in
     mips:Linux | mips64:Linux)
  # If we got here on MIPS GNU/Linux, output extra information.
  cat >&2 <<EOF
@@ -1447,10 +1464,10 @@ hostinfo               = `(hostinfo) 2>/dev/null`
 /usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
 /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
 
-UNAME_MACHINE = ${UNAME_MACHINE}
-UNAME_RELEASE = ${UNAME_RELEASE}
-UNAME_SYSTEM  = ${UNAME_SYSTEM}
-UNAME_VERSION = ${UNAME_VERSION}
+UNAME_MACHINE = "$UNAME_MACHINE"
+UNAME_RELEASE = "$UNAME_RELEASE"
+UNAME_SYSTEM  = "$UNAME_SYSTEM"
+UNAME_VERSION = "$UNAME_VERSION"
 EOF
 
 exit 1
diff --git a/zfs/config/config.sub b/zfs/config/config.sub
index 00f68b8..1d8e98bc 100755
--- a/zfs/config/config.sub
+++ b/zfs/config/config.sub
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Configuration validation subroutine script.
-#   Copyright 1992-2017 Free Software Foundation, Inc.
+#   Copyright 1992-2018 Free Software Foundation, Inc.
 
-timestamp='2017-11-23'
+timestamp='2018-02-22'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -67,7 +67,7 @@ Report bugs and patches to <[hidden email]>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright 1992-2017 Free Software Foundation, Inc.
+Copyright 1992-2018 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -94,7 +94,7 @@ while test $# -gt 0 ; do
 
     *local*)
        # First pass through any local machine types.
-       echo $1
+       echo "$1"
        exit ;;
 
     * )
@@ -112,7 +112,7 @@ esac
 
 # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
 # Here we must recognize all the valid KERNEL-OS combinations.
-maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+maybe_os=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
   nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
   linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
@@ -120,16 +120,16 @@ case $maybe_os in
   kopensolaris*-gnu* | cloudabi*-eabi* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    basic_machine=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
   android-linux)
     os=-linux-android
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
+    basic_machine=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
     ;;
   *)
-    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-    if [ $basic_machine != $1 ]
-    then os=`echo $1 | sed 's/.*-/-/'`
+    basic_machine=`echo "$1" | sed 's/-[^-]*$//'`
+    if [ "$basic_machine" != "$1" ]
+    then os=`echo "$1" | sed 's/.*-/-/'`
     else os=; fi
     ;;
 esac
@@ -178,44 +178,44 @@ case $os in
  ;;
  -sco6)
  os=-sco5v6
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -sco5)
  os=-sco3.2v5
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -sco4)
  os=-sco3.2v4
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -sco3.2.[4-9]*)
  os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -sco3.2v[4-9]*)
  # Don't forget version if it is 3.2v4 or newer.
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -sco5v6*)
  # Don't forget version if it is 3.2v4 or newer.
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -sco*)
  os=-sco3.2v2
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -udk*)
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -isc)
  os=-isc2.2
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -clix*)
  basic_machine=clipper-intergraph
  ;;
  -isc*)
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
  ;;
  -lynx*178)
  os=-lynxos178
@@ -227,7 +227,7 @@ case $os in
  os=-lynxos
  ;;
  -ptx*)
- basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+ basic_machine=`echo "$1" | sed -e 's/86-.*/86-sequent/'`
  ;;
  -psos*)
  os=-psos
@@ -296,7 +296,7 @@ case $basic_machine in
  | nios | nios2 | nios2eb | nios2el \
  | ns16k | ns32k \
  | open8 | or1k | or1knd | or32 \
- | pdp10 | pdp11 | pj | pjl \
+ | pdp10 | pj | pjl \
  | powerpc | powerpc64 | powerpc64le | powerpcle \
  | pru \
  | pyramid \
@@ -333,7 +333,7 @@ case $basic_machine in
  basic_machine=$basic_machine-unknown
  os=-none
  ;;
- m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+ m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65)
  ;;
  ms1)
  basic_machine=mt-unknown
@@ -362,7 +362,7 @@ case $basic_machine in
   ;;
  # Object if more than one company name word.
  *-*-*)
- echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+ echo Invalid configuration \`"$1"\': machine \`"$basic_machine"\' not recognized 1>&2
  exit 1
  ;;
  # Recognize the basic CPU types with company name.
@@ -457,7 +457,7 @@ case $basic_machine in
  # Recognize the various machine names and aliases which stand
  # for a CPU type and a company and sometimes even an OS.
  386bsd)
- basic_machine=i386-unknown
+ basic_machine=i386-pc
  os=-bsd
  ;;
  3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
@@ -491,7 +491,7 @@ case $basic_machine in
  basic_machine=x86_64-pc
  ;;
  amd64-*)
- basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=x86_64-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  amdahl)
  basic_machine=580-amdahl
@@ -536,7 +536,7 @@ case $basic_machine in
  os=-linux
  ;;
  blackfin-*)
- basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=bfin-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  os=-linux
  ;;
  bluegene*)
@@ -544,13 +544,13 @@ case $basic_machine in
  os=-cnk
  ;;
  c54x-*)
- basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=tic54x-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  c55x-*)
- basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=tic55x-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  c6x-*)
- basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=tic6x-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  c90)
  basic_machine=c90-cray
@@ -648,7 +648,7 @@ case $basic_machine in
  os=$os"spe"
  ;;
  e500v[12]-*)
- basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  os=$os"spe"
  ;;
  ebmon29k)
@@ -740,9 +740,6 @@ case $basic_machine in
  hp9k8[0-9][0-9] | hp8[0-9][0-9])
  basic_machine=hppa1.0-hp
  ;;
- hppa-next)
- os=-nextstep3
- ;;
  hppaosf)
  basic_machine=hppa1.1-hp
  os=-osf
@@ -755,26 +752,26 @@ case $basic_machine in
  basic_machine=i370-ibm
  ;;
  i*86v32)
- basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
  os=-sysv32
  ;;
  i*86v4*)
- basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
  os=-sysv4
  ;;
  i*86v)
- basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
  os=-sysv
  ;;
  i*86sol2)
- basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+ basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
  os=-solaris2
  ;;
  i386mach)
  basic_machine=i386-mach
  os=-mach
  ;;
- i386-vsta | vsta)
+ vsta)
  basic_machine=i386-unknown
  os=-vsta
  ;;
@@ -793,19 +790,16 @@ case $basic_machine in
  os=-sysv
  ;;
  leon-*|leon[3-9]-*)
- basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'`
+ basic_machine=sparc-`echo "$basic_machine" | sed 's/-.*//'`
  ;;
  m68knommu)
  basic_machine=m68k-unknown
  os=-linux
  ;;
  m68knommu-*)
- basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=m68k-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  os=-linux
  ;;
- m88k-omron*)
- basic_machine=m88k-omron
- ;;
  magnum | m3230)
  basic_machine=mips-mips
  os=-sysv
@@ -837,10 +831,10 @@ case $basic_machine in
  os=-mint
  ;;
  mips3*-*)
- basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+ basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'`
  ;;
  mips3*)
- basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+ basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'`-unknown
  ;;
  monitor)
  basic_machine=m68k-rom68k
@@ -859,7 +853,7 @@ case $basic_machine in
  os=-msdos
  ;;
  ms1-*)
- basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
+ basic_machine=`echo "$basic_machine" | sed -e 's/ms1-/mt-/'`
  ;;
  msys)
  basic_machine=i686-pc
@@ -946,6 +940,9 @@ case $basic_machine in
  nsr-tandem)
  basic_machine=nsr-tandem
  ;;
+ nsv-tandem)
+ basic_machine=nsv-tandem
+ ;;
  nsx-tandem)
  basic_machine=nsx-tandem
  ;;
@@ -981,7 +978,7 @@ case $basic_machine in
  os=-linux
  ;;
  parisc-*)
- basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=hppa-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  os=-linux
  ;;
  pbd)
@@ -997,7 +994,7 @@ case $basic_machine in
  basic_machine=i386-pc
  ;;
  pc98-*)
- basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=i386-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  pentium | p5 | k5 | k6 | nexgen | viac3)
  basic_machine=i586-pc
@@ -1012,16 +1009,16 @@ case $basic_machine in
  basic_machine=i786-pc
  ;;
  pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
- basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=i586-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  pentiumpro-* | p6-* | 6x86-* | athlon-*)
- basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
- basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  pentium4-*)
- basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=i786-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  pn)
  basic_machine=pn-gould
@@ -1031,23 +1028,23 @@ case $basic_machine in
  ppc | ppcbe) basic_machine=powerpc-unknown
  ;;
  ppc-* | ppcbe-*)
- basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  ppcle | powerpclittle)
  basic_machine=powerpcle-unknown
  ;;
  ppcle-* | powerpclittle-*)
- basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=powerpcle-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  ppc64) basic_machine=powerpc64-unknown
  ;;
- ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+ ppc64-*) basic_machine=powerpc64-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  ppc64le | powerpc64little)
  basic_machine=powerpc64le-unknown
  ;;
  ppc64le-* | powerpc64little-*)
- basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=powerpc64le-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  ps2)
  basic_machine=i386-ibm
@@ -1101,17 +1098,10 @@ case $basic_machine in
  sequent)
  basic_machine=i386-sequent
  ;;
- sh)
- basic_machine=sh-hitachi
- os=-hms
- ;;
  sh5el)
  basic_machine=sh5le-unknown
  ;;
- sh64)
- basic_machine=sh64-unknown
- ;;
- sparclite-wrs | simso-wrs)
+ simso-wrs)
  basic_machine=sparclite-wrs
  os=-vxworks
  ;;
@@ -1130,7 +1120,7 @@ case $basic_machine in
  os=-sysv4
  ;;
  strongarm-* | thumb-*)
- basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
+ basic_machine=arm-`echo "$basic_machine" | sed 's/^[^-]*-//'`
  ;;
  sun2)
  basic_machine=m68000-sun
@@ -1244,9 +1234,6 @@ case $basic_machine in
  basic_machine=a29k-wrs
  os=-vxworks
  ;;
- wasm32)
- basic_machine=wasm32-unknown
- ;;
  w65*)
  basic_machine=w65-wdc
  os=-none
@@ -1266,20 +1253,12 @@ case $basic_machine in
  basic_machine=xps100-honeywell
  ;;
  xscale-* | xscalee[bl]-*)
- basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
+ basic_machine=`echo "$basic_machine" | sed 's/^xscale/arm/'`
  ;;
  ymp)
  basic_machine=ymp-cray
  os=-unicos
  ;;
- z8k-*-coff)
- basic_machine=z8k-unknown
- os=-sim
- ;;
- z80-*-coff)
- basic_machine=z80-unknown
- os=-sim
- ;;
  none)
  basic_machine=none-none
  os=-none
@@ -1308,10 +1287,6 @@ case $basic_machine in
  vax)
  basic_machine=vax-dec
  ;;
- pdp10)
- # there are many clones, so DEC is not a safe bet
- basic_machine=pdp10-unknown
- ;;
  pdp11)
  basic_machine=pdp11-dec
  ;;
@@ -1321,9 +1296,6 @@ case $basic_machine in
  sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele)
  basic_machine=sh-unknown
  ;;
- sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
- basic_machine=sparc-sun
- ;;
  cydra)
  basic_machine=cydra-cydrome
  ;;
@@ -1343,7 +1315,7 @@ case $basic_machine in
  # Make sure to match an already-canonicalized machine name.
  ;;
  *)
- echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+ echo Invalid configuration \`"$1"\': machine \`"$basic_machine"\' not recognized 1>&2
  exit 1
  ;;
 esac
@@ -1351,10 +1323,10 @@ esac
 # Here we canonicalize certain aliases for manufacturers.
 case $basic_machine in
  *-digital*)
- basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+ basic_machine=`echo "$basic_machine" | sed 's/digital.*/dec/'`
  ;;
  *-commodore*)
- basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+ basic_machine=`echo "$basic_machine" | sed 's/commodore.*/cbm/'`
  ;;
  *)
  ;;
@@ -1377,15 +1349,16 @@ case $os in
  -solaris)
  os=-solaris2
  ;;
- -svr4*)
- os=-sysv4
- ;;
  -unixware*)
  os=-sysv4.2uw
  ;;
  -gnu/linux*)
  os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
  ;;
+ # es1800 is here to avoid being matched by es* (a different OS)
+ -es1800*)
+ os=-ose
+ ;;
  # Now accept the basic system types.
  # The portable systems comes first.
  # Each alternative MUST end in a * to match a version number.
@@ -1398,7 +1371,7 @@ case $os in
       | -aos* | -aros* | -cloudabi* | -sortix* \
       | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
       | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
+      | -hiux* | -knetbsd* | -mirbsd* | -netbsd* \
       | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
       | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
       | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
@@ -1409,14 +1382,15 @@ case $os in
       | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
       | -linux-newlib* | -linux-musl* | -linux-uclibc* \
       | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
-      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* \
       | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
       | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
       | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
-      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+      | -morphos* | -superux* | -rtmk* | -windiss* \
       | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
       | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
-      | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*)
+      | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox* | -bme* \
+      | -midnightbsd*)
  # Remember, each alternative MUST END IN *, to match a version number.
  ;;
  -qnx*)
@@ -1433,12 +1407,12 @@ case $os in
  -nto*)
  os=`echo $os | sed -e 's|nto|nto-qnx|'`
  ;;
- -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+ -sim | -xray | -os68k* | -v88r* \
+      | -windows* | -osx | -abug | -netware* | -os9* \
       | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
  ;;
  -mac*)
- os=`echo $os | sed -e 's|mac|macos|'`
+ os=`echo "$os" | sed -e 's|mac|macos|'`
  ;;
  -linux-dietlibc)
  os=-linux-dietlibc
@@ -1447,10 +1421,10 @@ case $os in
  os=`echo $os | sed -e 's|linux|linux-gnu|'`
  ;;
  -sunos5*)
- os=`echo $os | sed -e 's|sunos5|solaris2|'`
+ os=`echo "$os" | sed -e 's|sunos5|solaris2|'`
  ;;
  -sunos6*)
- os=`echo $os | sed -e 's|sunos6|solaris3|'`
+ os=`echo "$os" | sed -e 's|sunos6|solaris3|'`
  ;;
  -opened*)
  os=-openedition
@@ -1461,12 +1435,6 @@ case $os in
  -wince*)
  os=-wince
  ;;
- -osfrose*)
- os=-osfrose
- ;;
- -osf*)
- os=-osf
- ;;
  -utek*)
  os=-bsd
  ;;
@@ -1513,7 +1481,7 @@ case $os in
  -oss*)
  os=-sysv3
  ;;
- -svr4)
+ -svr4*)
  os=-sysv4
  ;;
  -svr3)
@@ -1528,18 +1496,9 @@ case $os in
  -ose*)
  os=-ose
  ;;
- -es1800*)
- os=-ose
- ;;
- -xenix)
- os=-xenix
- ;;
  -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
  os=-mint
  ;;
- -aros*)
- os=-aros
- ;;
  -zvmoe)
  os=-zvmoe
  ;;
@@ -1568,7 +1527,7 @@ case $os in
  *)
  # Get rid of the `-' at the beginning of $os.
  os=`echo $os | sed 's/[^-]*-//'`
- echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+ echo Invalid configuration \`"$1"\': system \`"$os"\' not recognized 1>&2
  exit 1
  ;;
 esac
@@ -1664,9 +1623,6 @@ case $basic_machine in
  *-be)
  os=-beos
  ;;
- *-haiku)
- os=-haiku
- ;;
  *-ibm)
  os=-aix
  ;;
@@ -1721,9 +1677,6 @@ case $basic_machine in
  i370-*)
  os=-mvs
  ;;
- *-next)
- os=-nextstep3
- ;;
  *-gould)
  os=-sysv
  ;;
@@ -1833,11 +1786,11 @@ case $basic_machine in
  vendor=stratus
  ;;
  esac
- basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+ basic_machine=`echo "$basic_machine" | sed "s/unknown/$vendor/"`
  ;;
 esac
 
-echo $basic_machine$os
+echo "$basic_machine$os"
 exit
 
 # Local variables:
diff --git a/zfs/config/kernel-userns-capabilities.m4 b/zfs/config/kernel-userns-capabilities.m4
new file mode 100644
index 0000000..fa33819
--- /dev/null
+++ b/zfs/config/kernel-userns-capabilities.m4
@@ -0,0 +1,67 @@
+dnl #
+dnl # 2.6.38 API change
+dnl # ns_capable() was introduced
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_NS_CAPABLE], [
+ AC_MSG_CHECKING([whether ns_capable exists])
+ ZFS_LINUX_TRY_COMPILE([
+ #include <linux/capability.h>
+ ],[
+ ns_capable((struct user_namespace *)NULL, CAP_SYS_ADMIN);
+ ],[
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_NS_CAPABLE, 1,
+    [ns_capable exists])
+ ],[
+ AC_MSG_RESULT(no)
+ ])
+])
+
+dnl #
+dnl # 2.6.39 API change
+dnl # struct user_namespace was added to struct cred_t as
+dnl # cred->user_ns member
+dnl # Note that current_user_ns() was added in 2.6.28.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_CRED_USER_NS], [
+ AC_MSG_CHECKING([whether cred_t->user_ns exists])
+ ZFS_LINUX_TRY_COMPILE([
+ #include <linux/cred.h>
+ ],[
+ struct cred cr;
+ cr.user_ns = (struct user_namespace *)NULL;
+ ],[
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_CRED_USER_NS, 1,
+    [cred_t->user_ns exists])
+ ],[
+ AC_MSG_RESULT(no)
+ ])
+])
+
+dnl #
+dnl # 3.4 API change
+dnl # kuid_has_mapping() and kgid_has_mapping() were added to distinguish
+dnl # between internal kernel uids/gids and user namespace uids/gids.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_KUID_HAS_MAPPING], [
+ AC_MSG_CHECKING([whether kuid_has_mapping/kgid_has_mapping exist])
+ ZFS_LINUX_TRY_COMPILE([
+ #include <linux/uidgid.h>
+ ],[
+ kuid_has_mapping((struct user_namespace *)NULL, KUIDT_INIT(0));
+ kgid_has_mapping((struct user_namespace *)NULL, KGIDT_INIT(0));
+ ],[
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_KUID_HAS_MAPPING, 1,
+    [kuid_has_mapping/kgid_has_mapping exist])
+ ],[
+ AC_MSG_RESULT(no)
+ ])
+])
+
+AC_DEFUN([ZFS_AC_KERNEL_USERNS_CAPABILITIES], [
+ ZFS_AC_KERNEL_NS_CAPABLE
+ ZFS_AC_KERNEL_CRED_USER_NS
+ ZFS_AC_KERNEL_KUID_HAS_MAPPING
+])
diff --git a/zfs/config/kernel.m4 b/zfs/config/kernel.m4
index b759ccd..8d982ad 100644
--- a/zfs/config/kernel.m4
+++ b/zfs/config/kernel.m4
@@ -123,6 +123,7 @@ AC_DEFUN([ZFS_AC_CONFIG_KERNEL], [
  ZFS_AC_KERNEL_HAVE_GENERIC_SETXATTR
  ZFS_AC_KERNEL_CURRENT_TIME
  ZFS_AC_KERNEL_VM_NODE_STAT
+ ZFS_AC_KERNEL_USERNS_CAPABILITIES
 
  AS_IF([test "$LINUX_OBJ" != "$LINUX"], [
  KERNELMAKE_PARAMS="$KERNELMAKE_PARAMS O=$LINUX_OBJ"
diff --git a/zfs/configure b/zfs/configure
index ea3687d..aebe4bb 100755
--- a/zfs/configure
+++ b/zfs/configure
@@ -25913,6 +25913,205 @@ fi
 
 
 
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ns_capable exists" >&5
+$as_echo_n "checking whether ns_capable exists... " >&6; }
+
+
+cat confdefs.h - <<_ACEOF >conftest.c
+
+
+ #include <linux/capability.h>
+
+int
+main (void)
+{
+
+ ns_capable((struct user_namespace *)NULL, CAP_SYS_ADMIN);
+
+  ;
+  return 0;
+}
+
+_ACEOF
+
+
+
+cat - <<_ACEOF >conftest.h
+
+_ACEOF
+
+
+ rm -Rf build && mkdir -p build && touch build/conftest.mod.c
+ echo "obj-m := conftest.o" >build/Makefile
+ modpost_flag=''
+ test "x$enable_linux_builtin" = xyes && modpost_flag='modpost=true' # fake modpost stage
+ if { ac_try='cp conftest.c conftest.h build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build $modpost_flag'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; } >/dev/null && { ac_try='test -s build/conftest.o'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_NS_CAPABLE 1" >>confdefs.h
+
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+
+
+fi
+ rm -Rf build
+
+
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cred_t->user_ns exists" >&5
+$as_echo_n "checking whether cred_t->user_ns exists... " >&6; }
+
+
+cat confdefs.h - <<_ACEOF >conftest.c
+
+
+ #include <linux/cred.h>
+
+int
+main (void)
+{
+
+ struct cred cr;
+ cr.user_ns = (struct user_namespace *)NULL;
+
+  ;
+  return 0;
+}
+
+_ACEOF
+
+
+
+cat - <<_ACEOF >conftest.h
+
+_ACEOF
+
+
+ rm -Rf build && mkdir -p build && touch build/conftest.mod.c
+ echo "obj-m := conftest.o" >build/Makefile
+ modpost_flag=''
+ test "x$enable_linux_builtin" = xyes && modpost_flag='modpost=true' # fake modpost stage
+ if { ac_try='cp conftest.c conftest.h build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build $modpost_flag'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; } >/dev/null && { ac_try='test -s build/conftest.o'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_CRED_USER_NS 1" >>confdefs.h
+
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+
+
+fi
+ rm -Rf build
+
+
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether kuid_has_mapping/kgid_has_mapping exist" >&5
+$as_echo_n "checking whether kuid_has_mapping/kgid_has_mapping exist... " >&6; }
+
+
+cat confdefs.h - <<_ACEOF >conftest.c
+
+
+ #include <linux/uidgid.h>
+
+int
+main (void)
+{
+
+ kuid_has_mapping((struct user_namespace *)NULL, KUIDT_INIT(0));
+ kgid_has_mapping((struct user_namespace *)NULL, KGIDT_INIT(0));
+
+  ;
+  return 0;
+}
+
+_ACEOF
+
+
+
+cat - <<_ACEOF >conftest.h
+
+_ACEOF
+
+
+ rm -Rf build && mkdir -p build && touch build/conftest.mod.c
+ echo "obj-m := conftest.o" >build/Makefile
+ modpost_flag=''
+ test "x$enable_linux_builtin" = xyes && modpost_flag='modpost=true' # fake modpost stage
+ if { ac_try='cp conftest.c conftest.h build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build $modpost_flag'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; } >/dev/null && { ac_try='test -s build/conftest.o'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_KUID_HAS_MAPPING 1" >>confdefs.h
+
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+
+
+fi
+ rm -Rf build
+
+
+
+
+
  if test "$LINUX_OBJ" != "$LINUX"; then :
 
  KERNELMAKE_PARAMS="$KERNELMAKE_PARAMS O=$LINUX_OBJ"
@@ -40474,6 +40673,205 @@ fi
 
 
 
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ns_capable exists" >&5
+$as_echo_n "checking whether ns_capable exists... " >&6; }
+
+
+cat confdefs.h - <<_ACEOF >conftest.c
+
+
+ #include <linux/capability.h>
+
+int
+main (void)
+{
+
+ ns_capable((struct user_namespace *)NULL, CAP_SYS_ADMIN);
+
+  ;
+  return 0;
+}
+
+_ACEOF
+
+
+
+cat - <<_ACEOF >conftest.h
+
+_ACEOF
+
+
+ rm -Rf build && mkdir -p build && touch build/conftest.mod.c
+ echo "obj-m := conftest.o" >build/Makefile
+ modpost_flag=''
+ test "x$enable_linux_builtin" = xyes && modpost_flag='modpost=true' # fake modpost stage
+ if { ac_try='cp conftest.c conftest.h build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build $modpost_flag'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; } >/dev/null && { ac_try='test -s build/conftest.o'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_NS_CAPABLE 1" >>confdefs.h
+
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+
+
+fi
+ rm -Rf build
+
+
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cred_t->user_ns exists" >&5
+$as_echo_n "checking whether cred_t->user_ns exists... " >&6; }
+
+
+cat confdefs.h - <<_ACEOF >conftest.c
+
+
+ #include <linux/cred.h>
+
+int
+main (void)
+{
+
+ struct cred cr;
+ cr.user_ns = (struct user_namespace *)NULL;
+
+  ;
+  return 0;
+}
+
+_ACEOF
+
+
+
+cat - <<_ACEOF >conftest.h
+
+_ACEOF
+
+
+ rm -Rf build && mkdir -p build && touch build/conftest.mod.c
+ echo "obj-m := conftest.o" >build/Makefile
+ modpost_flag=''
+ test "x$enable_linux_builtin" = xyes && modpost_flag='modpost=true' # fake modpost stage
+ if { ac_try='cp conftest.c conftest.h build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build $modpost_flag'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; } >/dev/null && { ac_try='test -s build/conftest.o'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_CRED_USER_NS 1" >>confdefs.h
+
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+
+
+fi
+ rm -Rf build
+
+
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether kuid_has_mapping/kgid_has_mapping exist" >&5
+$as_echo_n "checking whether kuid_has_mapping/kgid_has_mapping exist... " >&6; }
+
+
+cat confdefs.h - <<_ACEOF >conftest.c
+
+
+ #include <linux/uidgid.h>
+
+int
+main (void)
+{
+
+ kuid_has_mapping((struct user_namespace *)NULL, KUIDT_INIT(0));
+ kgid_has_mapping((struct user_namespace *)NULL, KGIDT_INIT(0));
+
+  ;
+  return 0;
+}
+
+_ACEOF
+
+
+
+cat - <<_ACEOF >conftest.h
+
+_ACEOF
+
+
+ rm -Rf build && mkdir -p build && touch build/conftest.mod.c
+ echo "obj-m := conftest.o" >build/Makefile
+ modpost_flag=''
+ test "x$enable_linux_builtin" = xyes && modpost_flag='modpost=true' # fake modpost stage
+ if { ac_try='cp conftest.c conftest.h build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build $modpost_flag'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; } >/dev/null && { ac_try='test -s build/conftest.o'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_KUID_HAS_MAPPING 1" >>confdefs.h
+
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+
+
+fi
+ rm -Rf build
+
+
+
+
+
  if test "$LINUX_OBJ" != "$LINUX"; then :
 
  KERNELMAKE_PARAMS="$KERNELMAKE_PARAMS O=$LINUX_OBJ"
diff --git a/zfs/include/Makefile.in b/zfs/include/Makefile.in
index 7ebd92b..ae748a9 100644
--- a/zfs/include/Makefile.in
+++ b/zfs/include/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/include/linux/Makefile.in b/zfs/include/linux/Makefile.in
index ba923de..0f6c8c3 100644
--- a/zfs/include/linux/Makefile.in
+++ b/zfs/include/linux/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/include/sys/Makefile.in b/zfs/include/sys/Makefile.in
index ac8262f..25d1f71 100644
--- a/zfs/include/sys/Makefile.in
+++ b/zfs/include/sys/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/include/sys/crypto/Makefile.in b/zfs/include/sys/crypto/Makefile.in
index ba51e5c..fa2f570 100644
--- a/zfs/include/sys/crypto/Makefile.in
+++ b/zfs/include/sys/crypto/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/include/sys/fm/Makefile.in b/zfs/include/sys/fm/Makefile.in
index dc3a4d1..85019a1 100644
--- a/zfs/include/sys/fm/Makefile.in
+++ b/zfs/include/sys/fm/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/include/sys/fm/fs/Makefile.in b/zfs/include/sys/fm/fs/Makefile.in
index 81089cfd..42a85e5 100644
--- a/zfs/include/sys/fm/fs/Makefile.in
+++ b/zfs/include/sys/fm/fs/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/include/sys/fs/Makefile.in b/zfs/include/sys/fs/Makefile.in
index 1113fe7..d22d5fc 100644
--- a/zfs/include/sys/fs/Makefile.in
+++ b/zfs/include/sys/fs/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/include/sys/sysevent/Makefile.in b/zfs/include/sys/sysevent/Makefile.in
index 2a19862..12c0912 100644
--- a/zfs/include/sys/sysevent/Makefile.in
+++ b/zfs/include/sys/sysevent/Makefile.in
@@ -173,6 +173,7 @@ am__aclocal_m4_deps = $(top_srcdir)/config/always-arch.m4 \
  $(top_srcdir)/config/kernel-tmpfile.m4 \
  $(top_srcdir)/config/kernel-truncate-range.m4 \
  $(top_srcdir)/config/kernel-truncate-setsize.m4 \
+ $(top_srcdir)/config/kernel-userns-capabilities.m4 \
  $(top_srcdir)/config/kernel-vfs-iterate.m4 \
  $(top_srcdir)/config/kernel-vfs-rw-iterate.m4 \
  $(top_srcdir)/config/kernel-vm_node_stat.m4 \
diff --git a/zfs/module/zfs/policy.c b/zfs/module/zfs/policy.c
index 03e8f74..55c93274 100644
--- a/zfs/module/zfs/policy.c
+++ b/zfs/module/zfs/policy.c
@@ -42,19 +42,47 @@
  * all other cases this function must fail and return the passed err.
  */
 static int
-priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
+priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
+    struct user_namespace *ns)
 {
  ASSERT3S(all, ==, B_FALSE);
 
  if (cr != CRED() && (cr != kcred))
  return (err);
 
+#if defined(CONFIG_USER_NS) && defined(HAVE_NS_CAPABLE)
+ if (!(ns ? ns_capable(ns, capability) : capable(capability)))
+#else
  if (!capable(capability))
+#endif
  return (err);
 
  return (0);
 }
 
+static int
+priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
+{
+ return (priv_policy_ns(cr, capability, all, err, NULL));
+}
+
+static int
+priv_policy_user(const cred_t *cr, int capability, boolean_t all, int err)
+{
+ /*
+ * All priv_policy_user checks are preceeded by kuid/kgid_has_mapping()
+ * checks. If we cannot do them, we shouldn't be using ns_capable()
+ * since we don't know whether the affected files are valid in our
+ * namespace. Note that kuid_has_mapping() came after cred->user_ns, so
+ * we shouldn't need to re-check for HAVE_CRED_USER_NS
+ */
+#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
+ return (priv_policy_ns(cr, capability, all, err, cr->user_ns));
+#else
+ return (priv_policy_ns(cr, capability, all, err, NULL));
+#endif
+}
+
 /*
  * Checks for operations that are either client-only or are used by
  * both clients and servers.
@@ -102,10 +130,15 @@ secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
  if (zpl_inode_owner_or_capable(ip))
  return (0);
 
- if (priv_policy(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
+#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
+ if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
+ return (EPERM);
+#endif
+
+ if (priv_policy_user(cr, CAP_DAC_OVERRIDE, B_FALSE, EPERM) == 0)
  return (0);
 
- if (priv_policy(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
+ if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, B_FALSE, EPERM) == 0)
  return (0);
 
  return (EPERM);
@@ -120,7 +153,12 @@ secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
  if (crgetfsuid(cr) == owner)
  return (0);
 
- return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
+#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
+ if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
+ return (EPERM);
+#endif
+
+ return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
 }
 
 /*
@@ -152,7 +190,12 @@ secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
  if (crgetfsuid(cr) == owner)
  return (0);
 
- return (priv_policy(cr, CAP_FOWNER, B_FALSE, EPERM));
+#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
+ if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
+ return (EPERM);
+#endif
+
+ return (priv_policy_user(cr, CAP_FOWNER, B_FALSE, EPERM));
 }
 
 /*
@@ -175,8 +218,12 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
 int
 secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
 {
+#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
+ if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
+ return (EPERM);
+#endif
  if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
- return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
+ return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
 
  return (0);
 }
@@ -222,7 +269,12 @@ secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
  if (crgetfsuid(cr) == owner)
  return (0);
 
- return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
+#if defined(CONFIG_USER_NS) && defined(HAVE_KUID_HAS_MAPPING)
+ if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
+ return (EPERM);
+#endif
+
+ return (priv_policy_user(cr, CAP_FSETID, B_FALSE, EPERM));
 }
 
 /*
diff --git a/zfs/zfs_config.h.in b/zfs/zfs_config.h.in
index df5fd71..ac41b5a 100644
--- a/zfs/zfs_config.h.in
+++ b/zfs/zfs_config.h.in
@@ -159,6 +159,9 @@
 /* iops->create() passes nameidata */
 #undef HAVE_CREATE_NAMEIDATA
 
+/* cred_t->user_ns exists */
+#undef HAVE_CRED_USER_NS
+
 /* current->bio_list exists */
 #undef HAVE_CURRENT_BIO_LIST
 
@@ -300,6 +303,9 @@
 /* kernel does stack verification */
 #undef HAVE_KERNEL_OBJTOOL
 
+/* kuid_has_mapping/kgid_has_mapping exist */
+#undef HAVE_KUID_HAS_MAPPING
+
 /* i_(uid|gid)_(read|write) exist */
 #undef HAVE_KUID_HELPERS
 
@@ -360,6 +366,9 @@
 /* sops->nr_cached_objects() exists */
 #undef HAVE_NR_CACHED_OBJECTS
 
+/* ns_capable exists */
+#undef HAVE_NS_CAPABLE
+
 /* open_bdev_exclusive() is available */
 #undef HAVE_OPEN_BDEV_EXCLUSIVE
 
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH][BIONIC] UBUNTU: SAUCE: Fix ZFS setgid (LP: #1753288)

Seth Forshee
On Thu, Mar 08, 2018 at 12:11:54PM +0100, Colin King wrote:

> From: Colin Ian King <[hidden email]>
>
>   Pull in upstream commit 0e85048f53e4, namely:
>   "Take user namespaces into account in policy checks"
>   - Change file related checks to use user namespaces and make
>     sure involved uids/gids are mappable in the current
>     namespace.
>   - Sync'd from zfsutils-linux 0.7.5-1ubuntu5
>
> Signed-off-by: Colin Ian King <[hidden email]>

Applied with the BugLink added. Thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team