[Devel] [PATCH RH9 24/33] ve/fs: add ve_capable to check capabilities relative to the current VE

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Thu Sep 23 22:08:27 MSK 2021 

From: Andrew Vagin <avagin at openvz.org>

We want to allow a few operations in VE. Currently we use nsown_capable,
but it's wrong, because in this case we allow these operations in any
user namespace.

https://jira.sw.ru/browse/PSBM-39077

Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

khorenko@:
rebase to RHEL8 beta kernel notes:
- dropped hunk in vfs_mknod(), ns_capable() already used there

vvs@:
rebase to rh8 kernel:
- dropped ve_capable() in autofs due to mainline chacnges

khorenko@: RHEL8.4 rebase notes:
- the check in ext4_ioctl_setflags() has been substituted by a call to
  vfs_ioc_setflags_prepare(), so i've moved the check for ve_capable()
  there. This func is called in many other filesystems, but if those fs
  are accessible inside a Container - why not to allow _setflags() for
  all of them? So let it be.

Rebased to vz9:
- vfs_ioc_setflags_prepare API is obosleted by fileattr API added in
4c5b47997521 ("vfs: add fileattr ops is removed in ms commit") and
later removed in 51db776a430e ("vfs: remove unused ioctl helpers")
so drop fs/inode hunk and change ve_capable in fs/ioctl

(cherry picked from vz8 commit 3f1f1522f6810901a5f4f1e3b729c6a569fda35e)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/autofs/dev-ioctl.c   | 2 +-
 fs/autofs/root.c        | 2 +-
 fs/ext4/xattr_trusted.c | 2 +-
 fs/ioctl.c              | 2 +-
 fs/namei.c              | 2 +-
 fs/ocfs2/ioctl.c        | 2 +-
 fs/open.c               | 2 +-
 fs/proc/base.c          | 2 +-
 fs/xattr.c              | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c
index 5bf781e..7efb5b53 100644
--- a/fs/autofs/dev-ioctl.c
+++ b/fs/autofs/dev-ioctl.c
@@ -613,7 +613,7 @@ static int _autofs_dev_ioctl(unsigned int command,
 	 */
 	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
 	    cmd != AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ve_capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	/* Copy the parameters into kernel space. */
diff --git a/fs/autofs/root.c b/fs/autofs/root.c
index 91fe454..696b554 100644
--- a/fs/autofs/root.c
+++ b/fs/autofs/root.c
@@ -872,7 +872,7 @@ static int autofs_root_ioctl_unlocked(struct inode *inode, struct file *filp,
 	     _IOC_NR(cmd) - _IOC_NR(AUTOFS_IOC_FIRST) >= AUTOFS_IOC_COUNT)
 		return -ENOTTY;
 
-	if (!autofs_oz_mode(sbi) && !capable(CAP_SYS_ADMIN))
+	if (!autofs_oz_mode(sbi) && !ve_capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	switch (cmd) {
diff --git a/fs/ext4/xattr_trusted.c b/fs/ext4/xattr_trusted.c
index 7c21ffb..7481ea1 100644
--- a/fs/ext4/xattr_trusted.c
+++ b/fs/ext4/xattr_trusted.c
@@ -16,7 +16,7 @@
 static bool
 ext4_xattr_trusted_list(struct dentry *dentry)
 {
-	return capable(CAP_SYS_ADMIN);
+	return ve_capable(CAP_SYS_ADMIN);
 }
 
 static int
diff --git a/fs/ioctl.c b/fs/ioctl.c
index 1e2204f..219b552 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -799,7 +799,7 @@ static int fileattr_set_prepare(struct inode *inode,
 	 * the relevant capability.
 	 */
 	if ((fa->flags ^ old_ma->flags) & (FS_APPEND_FL | FS_IMMUTABLE_FL) &&
-	    !capable(CAP_LINUX_IMMUTABLE))
+	    !ve_capable(CAP_LINUX_IMMUTABLE))
 		return -EPERM;
 
 	err = fscrypt_prepare_setflags(inode, old_ma->flags, fa->flags);
diff --git a/fs/namei.c b/fs/namei.c
index 8eee5ad..47c0fe3 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4349,7 +4349,7 @@ static int do_linkat(int olddfd, const char __user *oldname, int newdfd,
 	 * handlink using the passed filedescriptor.
 	 */
 	if (flags & AT_EMPTY_PATH) {
-		if (!capable(CAP_DAC_READ_SEARCH))
+		if (!ve_capable(CAP_DAC_READ_SEARCH))
 			return -ENOENT;
 		how = LOOKUP_EMPTY;
 	}
diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
index f59461d..f866f11 100644
--- a/fs/ocfs2/ioctl.c
+++ b/fs/ocfs2/ioctl.c
@@ -113,7 +113,7 @@ int ocfs2_fileattr_set(struct user_namespace *mnt_userns,
 	/* Check already done by VFS, but repeat with ocfs lock */
 	status = -EPERM;
 	if ((flags ^ oldflags) & (FS_APPEND_FL | FS_IMMUTABLE_FL) &&
-	    !capable(CAP_LINUX_IMMUTABLE))
+	    !ve_capable(CAP_LINUX_IMMUTABLE))
 		goto bail_unlock;
 
 	handle = ocfs2_start_trans(osb, OCFS2_INODE_UPDATE_CREDITS);
diff --git a/fs/open.c b/fs/open.c
index 8e8c676..21c9411 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -1363,7 +1363,7 @@ int filp_close(struct file *filp, fl_owner_t id)
  */
 SYSCALL_DEFINE0(vhangup)
 {
-	if (capable(CAP_SYS_TTY_CONFIG)) {
+	if (ve_capable(CAP_SYS_TTY_CONFIG)) {
 		tty_vhangup_self();
 		return 0;
 	}
diff --git a/fs/proc/base.c b/fs/proc/base.c
index e91b514..b0afbb1 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1073,7 +1073,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy)
 	mutex_lock(&oom_adj_mutex);
 	if (legacy) {
 		if (oom_adj < task->signal->oom_score_adj &&
-				!capable(CAP_SYS_RESOURCE)) {
+				!ve_capable(CAP_SYS_RESOURCE)) {
 			err = -EACCES;
 			goto err_unlock;
 		}
diff --git a/fs/xattr.c b/fs/xattr.c
index 5c8c517..be887a6 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -114,7 +114,7 @@
 	 * The trusted.* namespace can only be accessed by privileged users.
 	 */
 	if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ve_capable(CAP_SYS_ADMIN))
 			return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
 		return 0;
 	}
-- 
1.8.3.1

More information about the Devel mailing list