[Devel] [PATCH RH7] xattr: allow set/remove security.capability inside CT

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Jan 21 04:16:21 PST 2016


Need it as in CT for some packages rpm install sets security.capability
xattr e.g.: file /usr/bin/ping, package iputils.

That is temporary decision as it is not completely safe to do so as:

One without caps can create new user namespace enter it and have all
caps in it, after that add security.capability to some binary file,
logout userns and use these binary to get all caps in root user
namespace.

When patches below will get into mainstream porting them will fix it:
[PATCH v4 0/7] Initial support for user namespace owned mounts
[PATCH v2 03/18] fs: Treat foreign mounts as nosuid
[PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns to set
security.* xattrs

https://jira.sw.ru/browse/PSBM-43267
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 security/commoncap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 3a7003d..af80f74 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -624,7 +624,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		       const void *value, size_t size, int flags)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ve_capable(CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
@@ -650,7 +650,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 int cap_inode_removexattr(struct dentry *dentry, const char *name)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ve_capable(CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
-- 
1.9.3



More information about the Devel mailing list