[Devel] [PATCH RH9 v2] ve/fanotify: use ve_capable instead of capable
Alexander Mikhalitsyn
alexander.mikhalitsyn at virtuozzo.com
Fri Oct 29 18:27:12 MSK 2021
A few month ago Amir introduced fanotify support
for unprivileged users, a new capable check was
added into fanotify_mark syscall.
This break fanotify inside VZ containers, we have
to check CAP_SYS_ADMIN relatively to VE.
Please, refer to
7cea2a3 ("fanotify: support limited functionality for unprivileged users")
a8b98c80 ("fanotify: fix permission model of unprivileged group")
https://jira.sw.ru/browse/PSBM-135311
Fixes: 342bc47d ("ve/fanotify: Use ve-capable instead of plain capable test")
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
v2: added fixed commit refspec
---
fs/notify/fanotify/fanotify_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 32664fb618a2..07439b5a8957 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1330,7 +1330,7 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
* was initialized by an unprivileged user.
*/
ret = -EPERM;
- if ((!capable(CAP_SYS_ADMIN) ||
+ if ((!ve_capable(CAP_SYS_ADMIN) ||
FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV)) &&
mark_type != FAN_MARK_INODE)
goto fput_and_out;
--
2.31.1
More information about the Devel
mailing list