[Devel] [PATCH RHEL COMMIT] ve/fs: add ve_capable to check capabilities relative to the current VE

Konstantin Khorenko khorenko at virtuozzo.com
Fri Sep 24 15:48:48 MSK 2021


The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 688f7c347f638b7f9833bce084af48b8f3d50d77
Author: Andrew Vagin <avagin at openvz.org>
Date:   Fri Sep 24 15:48:48 2021 +0300

    ve/fs: add ve_capable to check capabilities relative to the current VE
    
    We want to allow a few operations in VE. Currently we use nsown_capable,
    but it's wrong, because in this case we allow these operations in any
    user namespace.
    
    https://jira.sw.ru/browse/PSBM-39077
    
    Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    
    khorenko@:
    rebase to RHEL8 beta kernel notes:
    - dropped hunk in vfs_mknod(), ns_capable() already used there
    
    vvs@:
    rebase to rh8 kernel:
    - dropped ve_capable() in autofs due to mainline chacnges
    
    khorenko@: RHEL8.4 rebase notes:
    - the check in ext4_ioctl_setflags() has been substituted by a call to
      vfs_ioc_setflags_prepare(), so i've moved the check for ve_capable()
      there. This func is called in many other filesystems, but if those fs
      are accessible inside a Container - why not to allow _setflags() for
      all of them? So let it be.
    
    Rebased to vz9:
    - vfs_ioc_setflags_prepare API is obosleted by fileattr API added in
    4c5b47997521 ("vfs: add fileattr ops is removed in ms commit") and
    later removed in 51db776a430e ("vfs: remove unused ioctl helpers")
    so drop fs/inode hunk and change ve_capable in fs/ioctl
    
    (cherry picked from vz8 commit 3f1f1522f6810901a5f4f1e3b729c6a569fda35e)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/autofs/dev-ioctl.c   | 2 +-
 fs/autofs/root.c        | 2 +-
 fs/ext4/xattr_trusted.c | 2 +-
 fs/ioctl.c              | 2 +-
 fs/namei.c              | 2 +-
 fs/ocfs2/ioctl.c        | 2 +-
 fs/open.c               | 2 +-
 fs/proc/base.c          | 2 +-
 fs/xattr.c              | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c
index 5bf781ea6d67..7efb5b533597 100644
--- a/fs/autofs/dev-ioctl.c
+++ b/fs/autofs/dev-ioctl.c
@@ -613,7 +613,7 @@ static int _autofs_dev_ioctl(unsigned int command,
 	 */
 	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
 	    cmd != AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ve_capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	/* Copy the parameters into kernel space. */
diff --git a/fs/autofs/root.c b/fs/autofs/root.c
index 91fe4548c256..696b5543aca6 100644
--- a/fs/autofs/root.c
+++ b/fs/autofs/root.c
@@ -872,7 +872,7 @@ static int autofs_root_ioctl_unlocked(struct inode *inode, struct file *filp,
 	     _IOC_NR(cmd) - _IOC_NR(AUTOFS_IOC_FIRST) >= AUTOFS_IOC_COUNT)
 		return -ENOTTY;
 
-	if (!autofs_oz_mode(sbi) && !capable(CAP_SYS_ADMIN))
+	if (!autofs_oz_mode(sbi) && !ve_capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	switch (cmd) {
diff --git a/fs/ext4/xattr_trusted.c b/fs/ext4/xattr_trusted.c
index 7c21ffb26d25..7481ea17a61b 100644
--- a/fs/ext4/xattr_trusted.c
+++ b/fs/ext4/xattr_trusted.c
@@ -16,7 +16,7 @@
 static bool
 ext4_xattr_trusted_list(struct dentry *dentry)
 {
-	return capable(CAP_SYS_ADMIN);
+	return ve_capable(CAP_SYS_ADMIN);
 }
 
 static int
diff --git a/fs/ioctl.c b/fs/ioctl.c
index 1e2204fa9963..219b552b3c8c 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -799,7 +799,7 @@ static int fileattr_set_prepare(struct inode *inode,
 	 * the relevant capability.
 	 */
 	if ((fa->flags ^ old_ma->flags) & (FS_APPEND_FL | FS_IMMUTABLE_FL) &&
-	    !capable(CAP_LINUX_IMMUTABLE))
+	    !ve_capable(CAP_LINUX_IMMUTABLE))
 		return -EPERM;
 
 	err = fscrypt_prepare_setflags(inode, old_ma->flags, fa->flags);
diff --git a/fs/namei.c b/fs/namei.c
index 8eee5ad4ade5..47c0fe382a51 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4349,7 +4349,7 @@ static int do_linkat(int olddfd, const char __user *oldname, int newdfd,
 	 * handlink using the passed filedescriptor.
 	 */
 	if (flags & AT_EMPTY_PATH) {
-		if (!capable(CAP_DAC_READ_SEARCH))
+		if (!ve_capable(CAP_DAC_READ_SEARCH))
 			return -ENOENT;
 		how = LOOKUP_EMPTY;
 	}
diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
index f59461d85da4..f866f11fc205 100644
--- a/fs/ocfs2/ioctl.c
+++ b/fs/ocfs2/ioctl.c
@@ -113,7 +113,7 @@ int ocfs2_fileattr_set(struct user_namespace *mnt_userns,
 	/* Check already done by VFS, but repeat with ocfs lock */
 	status = -EPERM;
 	if ((flags ^ oldflags) & (FS_APPEND_FL | FS_IMMUTABLE_FL) &&
-	    !capable(CAP_LINUX_IMMUTABLE))
+	    !ve_capable(CAP_LINUX_IMMUTABLE))
 		goto bail_unlock;
 
 	handle = ocfs2_start_trans(osb, OCFS2_INODE_UPDATE_CREDITS);
diff --git a/fs/open.c b/fs/open.c
index 8e8c676005cb..21c941193783 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -1363,7 +1363,7 @@ SYSCALL_DEFINE3(close_range, unsigned int, fd, unsigned int, max_fd,
  */
 SYSCALL_DEFINE0(vhangup)
 {
-	if (capable(CAP_SYS_TTY_CONFIG)) {
+	if (ve_capable(CAP_SYS_TTY_CONFIG)) {
 		tty_vhangup_self();
 		return 0;
 	}
diff --git a/fs/proc/base.c b/fs/proc/base.c
index e91b5145d92f..b0afbb1ab317 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1073,7 +1073,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy)
 	mutex_lock(&oom_adj_mutex);
 	if (legacy) {
 		if (oom_adj < task->signal->oom_score_adj &&
-				!capable(CAP_SYS_RESOURCE)) {
+				!ve_capable(CAP_SYS_RESOURCE)) {
 			err = -EACCES;
 			goto err_unlock;
 		}
diff --git a/fs/xattr.c b/fs/xattr.c
index 5c8c5175b385..be887a6543fa 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -114,7 +114,7 @@ xattr_permission(struct user_namespace *mnt_userns, struct inode *inode,
 	 * The trusted.* namespace can only be accessed by privileged users.
 	 */
 	if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ve_capable(CAP_SYS_ADMIN))
 			return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
 		return 0;
 	}


More information about the Devel mailing list