[Devel] [PATCH RHEL7 COMMIT] ve/fs/namei: check containers capabilities in may_linkat()

Wed Oct 28 07:19:58 PDT 2015

The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.9.3
------>
commit efa550dba8d848ec63030da21030616b4e001072
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Wed Oct 28 18:19:58 2015 +0400

    ve/fs/namei: check containers capabilities in may_linkat()
    
    This fixes -EPERM result for link creation by root in container.
    
    https://jira.sw.ru/browse/PSBM-40567
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 fs/namei.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index e7d9f54..d3430ee 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -869,7 +869,7 @@ static int may_linkat(struct path *link)
 	 * otherwise, it must be a safe source.
 	 */
 	if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||
-	    capable(CAP_FOWNER))
+	    ve_capable(CAP_FOWNER))
 		return 0;
 
 	audit_log_link_denied("linkat", link);
@@ -3955,7 +3955,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
 	 * handlink using the passed filedescriptor.
 	 */
 	if (flags & AT_EMPTY_PATH) {
-		if (!capable(CAP_DAC_READ_SEARCH))
+		if (!ve_capable(CAP_DAC_READ_SEARCH))
 			return -ENOENT;
 		how = LOOKUP_EMPTY;
 	}

