[Devel] [PATCH RHEL9 COMMIT] ve/fanotify: use ve_capable instead of capable
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Oct 29 19:57:10 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.23
------>
commit e31f7757d8b2b942fe2ff4f73514dcc794df99f5
Author: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
Date: Fri Oct 29 19:57:10 2021 +0300
ve/fanotify: use ve_capable instead of capable
A few month ago Amir introduced fanotify support
for unprivileged users, a new capable check was
added into fanotify_mark syscall.
This break fanotify inside VZ containers, we have
to check CAP_SYS_ADMIN relatively to VE.
Please, refer to
7cea2a3 ("fanotify: support limited functionality for unprivileged users")
a8b98c80 ("fanotify: fix permission model of unprivileged group")
https://jira.sw.ru/browse/PSBM-135311
Fixes: 342bc47d ("ve/fanotify: Use ve-capable instead of plain capable test")
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
v2: added fixed commit refspec
---
fs/notify/fanotify/fanotify_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 32664fb618a2..07439b5a8957 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1330,7 +1330,7 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
* was initialized by an unprivileged user.
*/
ret = -EPERM;
- if ((!capable(CAP_SYS_ADMIN) ||
+ if ((!ve_capable(CAP_SYS_ADMIN) ||
FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV)) &&
mark_type != FAN_MARK_INODE)
goto fput_and_out;
More information about the Devel
mailing list