[Devel] [PATCH RH7] commoncap: relax setxattr and removexattr checks
Vasily Averin
vvs at virtuozzo.com
Mon Nov 16 13:59:49 MSK 2020
On 11/16/20 1:09 PM, Andrey Zhadchenko wrote:
> Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside
> of ve on external mounts (for example, root).
>
> https://jira.sw.ru/browse/PSBM-122071
> Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
> ---
> security/commoncap.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 6ce7b51..30795d8 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -912,7 +912,10 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
> return 0;
>
> if (!ns_capable(user_ns, CAP_SYS_ADMIN))
> - return -EPERM;
> +#ifdef CONFIG_VE
> + if (!ve_capable(CAP_SYS_ADMIN))
> +#endif
is CONFIG_VE really required here?
ve_capable is defined for !CONFIG_VE case too, as plain capable()
> + return -EPERM;
> return 0;
> }
>
> @@ -947,7 +950,10 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
> }
>
> if (!ns_capable(user_ns, CAP_SYS_ADMIN))
> - return -EPERM;
> +#ifdef CONFIG_VE
> + if (!ve_capable(CAP_SYS_ADMIN))
> +#endif
> + return -EPERM;
> return 0;
> }
>
>
More information about the Devel
mailing list