[Devel] [PATCH vz7] namei: check containers cpabilities in may_linkat()
Stanislav Kinsburskiy
skinsbursky at odin.com
Tue Oct 27 08:17:48 PDT 2015
From: Stanislav Kinsburskiy <skinsbursky at parallels.com>
This fixes -EPERM result for link creation by root in container
https://jira.sw.ru/browse/PSBM-40567
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at parallels.com>
---
fs/namei.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index e7d9f54..d3430ee 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -869,7 +869,7 @@ static int may_linkat(struct path *link)
* otherwise, it must be a safe source.
*/
if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||
- capable(CAP_FOWNER))
+ ve_capable(CAP_FOWNER))
return 0;
audit_log_link_denied("linkat", link);
@@ -3955,7 +3955,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
* handlink using the passed filedescriptor.
*/
if (flags & AT_EMPTY_PATH) {
- if (!capable(CAP_DAC_READ_SEARCH))
+ if (!ve_capable(CAP_DAC_READ_SEARCH))
return -ENOENT;
how = LOOKUP_EMPTY;
}
More information about the Devel
mailing list