[Devel] [PATCH RHEL7 COMMIT] ve/xattr: allow to set trusted.xxx for container admin
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Sep 8 02:00:53 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.28.2.vz7.17.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.28.2.vz7.17.4
------>
commit 4f7ce4dd4741cb65df018028aaefedb298915aa6
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Thu Sep 8 13:00:53 2016 +0400
ve/xattr: allow to set trusted.xxx for container admin
Attributes trusted.xxx are used in userspace mechanisms
which want to keep information in extended attributes to
which ordinary process has no access.
We can't check them all, but here is hope that such
mechanisms on host and in CT won't intersect, because
most likely we won't find the process from host which
sets xattrs on container files through /vz/root/<ctid>,
except the case with trusted.pfcache which is covered in
previous patch.
https://jira.sw.ru/browse/PSBM-51102
https://bugs.openvz.org/browse/OVZ-6791
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
fs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 3377dff..d49ea1b 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -52,7 +52,7 @@ xattr_permission(struct inode *inode, const char *name, int mask)
* The trusted.* namespace can only be accessed by privileged users.
*/
if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
- if (!capable(CAP_SYS_ADMIN))
+ if (!ve_capable(CAP_SYS_ADMIN))
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
return 0;
}
More information about the Devel
mailing list