[Devel] [PATCH RH7] xattr: allow set/remove security.capability inside CT
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jan 21 04:33:06 PST 2016
Kirill, please review.
i don't see any danger in allowing this. Do you?
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 01/21/2016 03:16 PM, Pavel Tikhomirov wrote:
> Need it as in CT for some packages rpm install sets security.capability
> xattr e.g.: file /usr/bin/ping, package iputils.
>
> That is temporary decision as it is not completely safe to do so as:
>
> One without caps can create new user namespace enter it and have all
> caps in it, after that add security.capability to some binary file,
> logout userns and use these binary to get all caps in root user
> namespace.
>
> When patches below will get into mainstream porting them will fix it:
> [PATCH v4 0/7] Initial support for user namespace owned mounts
> [PATCH v2 03/18] fs: Treat foreign mounts as nosuid
> [PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns to set
> security.* xattrs
>
> https://jira.sw.ru/browse/PSBM-43267
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
> security/commoncap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 3a7003d..af80f74 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -624,7 +624,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
> const void *value, size_t size, int flags)
> {
> if (!strcmp(name, XATTR_NAME_CAPS)) {
> - if (!capable(CAP_SETFCAP))
> + if (!ve_capable(CAP_SETFCAP))
> return -EPERM;
> return 0;
> }
> @@ -650,7 +650,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
> int cap_inode_removexattr(struct dentry *dentry, const char *name)
> {
> if (!strcmp(name, XATTR_NAME_CAPS)) {
> - if (!capable(CAP_SETFCAP))
> + if (!ve_capable(CAP_SETFCAP))
> return -EPERM;
> return 0;
> }
>
More information about the Devel
mailing list