[Devel] [PATCH 2/2] xattr: allow to set trusted.xxx for container admin

Konstantin Khorenko khorenko at virtuozzo.com
Wed Sep 7 09:41:31 PDT 2016


On 09/06/2016 07:29 PM, Pavel Tikhomirov wrote:
> Attributes trusted.xxx are used in userspace mechanisms
> which want to keep information in extended attributes to
> which ordinary process has no access.
>
> We can't check them all, but here is hope that such
> mechanisms on host and in CT won't intersect, because
> most likely we won't find the process from host which
> sets xattrs on container files through /vz/root/<ctid>,
> except the case with trusted.pfcache which is covered in
> previous patch.
>
> https://jira.sw.ru/browse/PSBM-51102
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
>  fs/xattr.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 3377dff..d49ea1b 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -52,7 +52,7 @@ xattr_permission(struct inode *inode, const char *name, int mask)
>  	 * The trusted.* namespace can only be accessed by privileged users.
>  	 */
>  	if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
> -		if (!capable(CAP_SYS_ADMIN))
> +		if (!ve_capable(CAP_SYS_ADMIN))
>  			return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
>  		return 0;
>  	}
>

why don't we need the same capable() -> ve_capable() in simple_xattr_list()?


More information about the Devel mailing list