[Devel] [PATCH RHEL7 COMMIT] ve/xattr: allow set/remove security.capability inside CT

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jan 21 08:38:00 PST 2016 

The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.9.24
------>
commit 4b59db4537de96cd9276eae9d0baa0ef878932d5
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Thu Jan 21 20:38:00 2016 +0400

    ve/xattr: allow set/remove security.capability inside CT
    
    Need it as in CT for some packages rpm install sets security.capability
    xattr e.g.: file /usr/bin/ping, package iputils.
    
    That is temporary decision as it is not completely safe to do so as:
    
    One without caps can create new user namespace enter it and have all
    caps in it, after that add security.capability to some binary file,
    logout userns and use these binary to get all caps in root user
    namespace.
    
    When patches below will get into mainstream porting them will fix it:
    [PATCH v4 0/7] Initial support for user namespace owned mounts
    [PATCH v2 03/18] fs: Treat foreign mounts as nosuid
    [PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns to set
    security.* xattrs
    
    https://jira.sw.ru/browse/PSBM-43294
    
    https://jira.sw.ru/browse/PSBM-43267
    https://bugs.openvz.org/browse/OVZ-6657
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 security/commoncap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 3a7003d..af80f74 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -624,7 +624,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		       const void *value, size_t size, int flags)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ve_capable(CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
@@ -650,7 +650,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 int cap_inode_removexattr(struct dentry *dentry, const char *name)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ve_capable(CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}

More information about the Devel mailing list