[Devel] [PATCH RHEL9 COMMIT] commoncap: relax setxattr and removxattr checks

Wed Oct 20 11:40:42 MSK 2021

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit c998ef1c28dc8c090b27e1917537a2b5fc2de77e
Author: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
Date:   Wed Oct 20 11:40:41 2021 +0300

    commoncap: relax setxattr and removxattr checks
    
    Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside
    of ve on external mounts (for example, root).
    
    https://jira.sw.ru/browse/PSBM-122071
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
    
    Cherry-picked from vz7 commit d92402f6a7c9 ("commoncap: relax setxattr and
    removxattr checks")
    
    Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
    
    (cherry picked from vz8 commit 22dfe21e51e1bca0d420df7abc8e1a1eb0491a0d)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 security/commoncap.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 3f810d37b71b..ae3799afd850 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1007,7 +1007,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		return 0;
 
 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
+		if (!ve_capable(CAP_SYS_ADMIN))
+			return -EPERM;
 	return 0;
 }
 
@@ -1051,7 +1052,8 @@ int cap_inode_removexattr(struct user_namespace *mnt_userns,
 	}
 
 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
+		if (!ve_capable(CAP_SYS_ADMIN))
+			return -EPERM;
 	return 0;
 }
 
