[Devel] [PATCH RHEL7 COMMIT] Revert "ve: caps: ignore setting wrong caps with CAP_SETPCAP"

Konstantin Khorenko khorenko at virtuozzo.com
Tue Sep 8 02:06:35 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.8.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.8
------>
commit 750558eb81ef22527ee1d5fc5b5081410cffda29
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Tue Sep 8 13:01:00 2015 +0400

    Revert "ve: caps: ignore setting wrong caps with CAP_SETPCAP"
    
    This reverts commit 1875887f263eb25c8a549ec76258b5b19d5e86df
    and 62247ea30f4e1a94136726935c77024558ab5a37 (typo fix)
    
    Don't need this due to userns support implementation.
    
    https://jira.sw.ru/browse/PSBM-39077
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    Conflicts:
    	security/commoncap.c
---
 security/commoncap.c | 37 +++++++------------------------------
 1 file changed, 7 insertions(+), 30 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 9d0a2b6..3a7003d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -248,53 +248,30 @@ int cap_capset(struct cred *new,
 	       const kernel_cap_t *inheritable,
 	       const kernel_cap_t *permitted)
 {
-	kernel_cap_t ve_effective = *effective;
-	kernel_cap_t ve_inheritable = *inheritable;
-	kernel_cap_t ve_permitted = *permitted;
-
-	if (!ve_is_super(get_exec_env())) {
-		if (cap_raised(old->cap_effective, CAP_SETPCAP)) {
-			/*
-			 * Ignore all not allowed caps in CT
-			 */
-			printk_once("Drop not allowed caps in CT. Docker? - "
-				    "Will fix when switch to user namespaces.\n");
-			if (cap_inh_is_capped())
-				ve_inheritable = cap_intersect(ve_inheritable,
-				                               cap_combine(old->cap_inheritable,
-				                                           old->cap_permitted));
-			ve_inheritable = cap_intersect(ve_inheritable,
-			                               cap_combine(old->cap_inheritable,
-			                                           old->cap_bset));
-			ve_permitted = cap_intersect(ve_permitted, old->cap_permitted);
-			ve_effective = cap_intersect(ve_effective, ve_permitted);
-		}
-	}
-
 	if (cap_inh_is_capped() &&
-	    !cap_issubset(ve_inheritable,
+	    !cap_issubset(*inheritable,
 			  cap_combine(old->cap_inheritable,
 				      old->cap_permitted)))
 		/* incapable of using this inheritable set */
 		return -EPERM;
 
-	if (!cap_issubset(ve_inheritable,
+	if (!cap_issubset(*inheritable,
 			  cap_combine(old->cap_inheritable,
 				      old->cap_bset)))
 		/* no new pI capabilities outside bounding set */
 		return -EPERM;
 
 	/* verify restrictions on target's new Permitted set */
-	if (!cap_issubset(ve_permitted, old->cap_permitted))
+	if (!cap_issubset(*permitted, old->cap_permitted))
 		return -EPERM;
 
 	/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
-	if (!cap_issubset(ve_effective, ve_permitted))
+	if (!cap_issubset(*effective, *permitted))
 		return -EPERM;
 
-	new->cap_effective   = ve_effective;
-	new->cap_inheritable = ve_inheritable;
-	new->cap_permitted   = ve_permitted;
+	new->cap_effective   = *effective;
+	new->cap_inheritable = *inheritable;
+	new->cap_permitted   = *permitted;
 	return 0;
 }

More information about the Devel mailing list