[RH7] commoncap: relax setxattr and removexattr checks

Submitted by Andrey Zhadchenko on Nov. 16, 2020, 10:09 a.m.

Details

Message ID 1605521356-763826-1-git-send-email-andrey.zhadchenko@virtuozzo.com
State New
Series "commoncap: relax setxattr and removexattr checks"
Headers show

Commit Message

Andrey Zhadchenko Nov. 16, 2020, 10:09 a.m.
Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside
of ve on external mounts (for example, root).

https://jira.sw.ru/browse/PSBM-122071
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
---
 security/commoncap.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/security/commoncap.c b/security/commoncap.c
index 6ce7b51..30795d8 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -912,7 +912,10 @@  int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		return 0;
 
 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
+#ifdef CONFIG_VE
+		if (!ve_capable(CAP_SYS_ADMIN))
+#endif
+			return -EPERM;
 	return 0;
 }
 
@@ -947,7 +950,10 @@  int cap_inode_removexattr(struct dentry *dentry, const char *name)
 	}
 
 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
+#ifdef CONFIG_VE
+		if (!ve_capable(CAP_SYS_ADMIN))
+#endif
+			return -EPERM;
 	return 0;
 }
 

Comments

Vasily Averin Nov. 16, 2020, 10:59 a.m.
On 11/16/20 1:09 PM, Andrey Zhadchenko wrote:
> Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside
> of ve on external mounts (for example, root).
> 
> https://jira.sw.ru/browse/PSBM-122071
> Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
> ---
>  security/commoncap.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 6ce7b51..30795d8 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -912,7 +912,10 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
>  		return 0;
>  
>  	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
> -		return -EPERM;
> +#ifdef CONFIG_VE
> +		if (!ve_capable(CAP_SYS_ADMIN))
> +#endif

is CONFIG_VE really required here?
ve_capable is defined for !CONFIG_VE case too, as plain capable()

> +			return -EPERM;
>  	return 0;
>  }
>  
> @@ -947,7 +950,10 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
>  	}
>  
>  	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
> -		return -EPERM;
> +#ifdef CONFIG_VE
> +		if (!ve_capable(CAP_SYS_ADMIN))
> +#endif
> +			return -EPERM;
>  	return 0;
>  }
>  
>