[Devel] [PATCH RHEL COMMIT] ve/fs: add ve_capable to check capabilities relative to the current VE
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Sep 24 15:48:48 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 688f7c347f638b7f9833bce084af48b8f3d50d77
Author: Andrew Vagin <avagin at openvz.org>
Date: Fri Sep 24 15:48:48 2021 +0300
ve/fs: add ve_capable to check capabilities relative to the current VE
We want to allow a few operations in VE. Currently we use nsown_capable,
but it's wrong, because in this case we allow these operations in any
user namespace.
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
khorenko@:
rebase to RHEL8 beta kernel notes:
- dropped hunk in vfs_mknod(), ns_capable() already used there
vvs@:
rebase to rh8 kernel:
- dropped ve_capable() in autofs due to mainline chacnges
khorenko@: RHEL8.4 rebase notes:
- the check in ext4_ioctl_setflags() has been substituted by a call to
vfs_ioc_setflags_prepare(), so i've moved the check for ve_capable()
there. This func is called in many other filesystems, but if those fs
are accessible inside a Container - why not to allow _setflags() for
all of them? So let it be.
Rebased to vz9:
- vfs_ioc_setflags_prepare API is obosleted by fileattr API added in
4c5b47997521 ("vfs: add fileattr ops is removed in ms commit") and
later removed in 51db776a430e ("vfs: remove unused ioctl helpers")
so drop fs/inode hunk and change ve_capable in fs/ioctl
(cherry picked from vz8 commit 3f1f1522f6810901a5f4f1e3b729c6a569fda35e)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
fs/autofs/dev-ioctl.c | 2 +-
fs/autofs/root.c | 2 +-
fs/ext4/xattr_trusted.c | 2 +-
fs/ioctl.c | 2 +-
fs/namei.c | 2 +-
fs/ocfs2/ioctl.c | 2 +-
fs/open.c | 2 +-
fs/proc/base.c | 2 +-
fs/xattr.c | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c
index 5bf781ea6d67..7efb5b533597 100644
--- a/fs/autofs/dev-ioctl.c
+++ b/fs/autofs/dev-ioctl.c
@@ -613,7 +613,7 @@ static int _autofs_dev_ioctl(unsigned int command,
*/
if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
cmd != AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD &&
- !capable(CAP_SYS_ADMIN))
+ !ve_capable(CAP_SYS_ADMIN))
return -EPERM;
/* Copy the parameters into kernel space. */
diff --git a/fs/autofs/root.c b/fs/autofs/root.c
index 91fe4548c256..696b5543aca6 100644
--- a/fs/autofs/root.c
+++ b/fs/autofs/root.c
@@ -872,7 +872,7 @@ static int autofs_root_ioctl_unlocked(struct inode *inode, struct file *filp,
_IOC_NR(cmd) - _IOC_NR(AUTOFS_IOC_FIRST) >= AUTOFS_IOC_COUNT)
return -ENOTTY;
- if (!autofs_oz_mode(sbi) && !capable(CAP_SYS_ADMIN))
+ if (!autofs_oz_mode(sbi) && !ve_capable(CAP_SYS_ADMIN))
return -EPERM;
switch (cmd) {
diff --git a/fs/ext4/xattr_trusted.c b/fs/ext4/xattr_trusted.c
index 7c21ffb26d25..7481ea17a61b 100644
--- a/fs/ext4/xattr_trusted.c
+++ b/fs/ext4/xattr_trusted.c
@@ -16,7 +16,7 @@
static bool
ext4_xattr_trusted_list(struct dentry *dentry)
{
- return capable(CAP_SYS_ADMIN);
+ return ve_capable(CAP_SYS_ADMIN);
}
static int
diff --git a/fs/ioctl.c b/fs/ioctl.c
index 1e2204fa9963..219b552b3c8c 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -799,7 +799,7 @@ static int fileattr_set_prepare(struct inode *inode,
* the relevant capability.
*/
if ((fa->flags ^ old_ma->flags) & (FS_APPEND_FL | FS_IMMUTABLE_FL) &&
- !capable(CAP_LINUX_IMMUTABLE))
+ !ve_capable(CAP_LINUX_IMMUTABLE))
return -EPERM;
err = fscrypt_prepare_setflags(inode, old_ma->flags, fa->flags);
diff --git a/fs/namei.c b/fs/namei.c
index 8eee5ad4ade5..47c0fe382a51 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4349,7 +4349,7 @@ static int do_linkat(int olddfd, const char __user *oldname, int newdfd,
* handlink using the passed filedescriptor.
*/
if (flags & AT_EMPTY_PATH) {
- if (!capable(CAP_DAC_READ_SEARCH))
+ if (!ve_capable(CAP_DAC_READ_SEARCH))
return -ENOENT;
how = LOOKUP_EMPTY;
}
diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
index f59461d85da4..f866f11fc205 100644
--- a/fs/ocfs2/ioctl.c
+++ b/fs/ocfs2/ioctl.c
@@ -113,7 +113,7 @@ int ocfs2_fileattr_set(struct user_namespace *mnt_userns,
/* Check already done by VFS, but repeat with ocfs lock */
status = -EPERM;
if ((flags ^ oldflags) & (FS_APPEND_FL | FS_IMMUTABLE_FL) &&
- !capable(CAP_LINUX_IMMUTABLE))
+ !ve_capable(CAP_LINUX_IMMUTABLE))
goto bail_unlock;
handle = ocfs2_start_trans(osb, OCFS2_INODE_UPDATE_CREDITS);
diff --git a/fs/open.c b/fs/open.c
index 8e8c676005cb..21c941193783 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -1363,7 +1363,7 @@ SYSCALL_DEFINE3(close_range, unsigned int, fd, unsigned int, max_fd,
*/
SYSCALL_DEFINE0(vhangup)
{
- if (capable(CAP_SYS_TTY_CONFIG)) {
+ if (ve_capable(CAP_SYS_TTY_CONFIG)) {
tty_vhangup_self();
return 0;
}
diff --git a/fs/proc/base.c b/fs/proc/base.c
index e91b5145d92f..b0afbb1ab317 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1073,7 +1073,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy)
mutex_lock(&oom_adj_mutex);
if (legacy) {
if (oom_adj < task->signal->oom_score_adj &&
- !capable(CAP_SYS_RESOURCE)) {
+ !ve_capable(CAP_SYS_RESOURCE)) {
err = -EACCES;
goto err_unlock;
}
diff --git a/fs/xattr.c b/fs/xattr.c
index 5c8c5175b385..be887a6543fa 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -114,7 +114,7 @@ xattr_permission(struct user_namespace *mnt_userns, struct inode *inode,
* The trusted.* namespace can only be accessed by privileged users.
*/
if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
- if (!capable(CAP_SYS_ADMIN))
+ if (!ve_capable(CAP_SYS_ADMIN))
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
return 0;
}
More information about the Devel
mailing list