[Devel] [PATCH rh7 v2] commoncap: relax setxattr and removxattr checks
Andrey Zhadchenko
andrey.zhadchenko at virtuozzo.com
Mon Nov 16 14:39:12 MSK 2020
Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside
of ve on external mounts (for example, root).
https://jira.sw.ru/browse/PSBM-122071
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
security/commoncap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
v2: omit #ifdef CONFIG_VE since ve_capable is defined for that case.
diff --git a/security/commoncap.c b/security/commoncap.c
index 6ce7b51..98d6a10 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -912,7 +912,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
return 0;
if (!ns_capable(user_ns, CAP_SYS_ADMIN))
- return -EPERM;
+ if (!ve_capable(CAP_SYS_ADMIN))
+ return -EPERM;
return 0;
}
@@ -947,7 +948,8 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
}
if (!ns_capable(user_ns, CAP_SYS_ADMIN))
- return -EPERM;
+ if (!ve_capable(CAP_SYS_ADMIN))
+ return -EPERM;
return 0;
}
--
1.8.3.1
More information about the Devel
mailing list