[Devel] [PATCH RH7] xattr: allow set/remove security.capability inside CT

Kirill Tkhai ktkhai at virtuozzo.com
Thu Jan 21 07:16:12 PST 2016



On 21.01.2016 15:16, Pavel Tikhomirov wrote:
> Need it as in CT for some packages rpm install sets security.capability
> xattr e.g.: file /usr/bin/ping, package iputils.
> 
> That is temporary decision as it is not completely safe to do so as:
> 
> One without caps can create new user namespace enter it and have all
> caps in it, after that add security.capability to some binary file,
> logout userns and use these binary to get all caps in root user
> namespace.
> 
> When patches below will get into mainstream porting them will fix it:
> [PATCH v4 0/7] Initial support for user namespace owned mounts
> [PATCH v2 03/18] fs: Treat foreign mounts as nosuid
> [PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns to set
> security.* xattrs

Will waiting for them with this temporary solution.
 
> https://jira.sw.ru/browse/PSBM-43267
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>

> ---
>  security/commoncap.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 3a7003d..af80f74 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -624,7 +624,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
>  		       const void *value, size_t size, int flags)
>  {
>  	if (!strcmp(name, XATTR_NAME_CAPS)) {
> -		if (!capable(CAP_SETFCAP))
> +		if (!ve_capable(CAP_SETFCAP))
>  			return -EPERM;
>  		return 0;
>  	}
> @@ -650,7 +650,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
>  int cap_inode_removexattr(struct dentry *dentry, const char *name)
>  {
>  	if (!strcmp(name, XATTR_NAME_CAPS)) {
> -		if (!capable(CAP_SETFCAP))
> +		if (!ve_capable(CAP_SETFCAP))
>  			return -EPERM;
>  		return 0;
>  	}
> 


More information about the Devel mailing list