| Message ID | 202011180848.0AI8mmBg031753@vz7build.vvs.sw.ru |
|---|---|
| State | New |
| Series | "commoncap: relax setxattr and removexattr checks" |
| Headers | show
Delivered-To: criupatchwork@gmail.com Received: from imap.gmail.com [108.177.119.109] by patchwork.criu.org with IMAP (fetchmail-6.4.8) for <root@localhost> (single-drop); Wed, 18 Nov 2020 09:49:06 +0100 (CET) Received: by 2002:a9a:4d14:0:b029:97:cf3a:849f with SMTP id h20csp302592lko; Wed, 18 Nov 2020 00:49:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJw3TSkSQK5vzgvaA0uVB4OKAzjtLd5DIrNIop4UX9Aic/pHOS+vrLrwi7pRCCwnlkzgLDsN X-Received: by 2002:a19:418e:: with SMTP id o136mr3606915lfa.80.1605689342071; Wed, 18 Nov 2020 00:49:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605689342; cv=none; d=google.com; s=arc-20160816; b=gsymS4fzkAMMX777c8duDF5IuVKUhwb6CwPgOi0JJcQAuBxx+5iZMPh3QMElz5Bjyi JKihp7svATkt0Fz0k1/dYsmBa9dkN44PU3Zwj8nMgENSjgFIVmBaYUgH5hSlxfsoh2FB cQqhh8fmPqnRybE16ssPkW5iovI/TcKFQI9lKz6noVnNCMbyoy5FTN/YrgO76oHddswk uc/WZ6r0hJVuDRBspO24Ta6GoSpP0kpikLY9id20ab1ZKCI7FdDit6F99dBTYV95nOXT TEGMIVTMZ4YqKQI0KpPckLTJ5eet6AmSSt6Bxv3tJ+/9mr9aqHjB09jntBYn+t/V6s4U Ef0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :cc:mime-version:in-reply-to:to:from:message-id:date; bh=/hQhBMN8dhSOKLtBCzjKNgnzYkkeZu+bSxn1r4mUIqg=; b=He31slbsQfETDx6gkr7jzsSV+0CVgKpI0OXq7Xe/IQJqo40YDza6wXiGoy+7SEJpHU MPT6N8kilIvrzG+xVcVcBYuZUIyfjOcuMijYMlTkr7a79sOUmjqgVh4FuhpqYlcy4DAV 4qSD9MKcSAsrqbJ6YREcpJ8S2ZK+eSJlhj8DP+deQoyGdOuTE+DfLoyRdgZp9a6BPPg5 ccR9VaI96+L1WkaczY0ZQ60qGFTPEad4TNvKUKuweH+pFm7CWznA89PKe+YJ/KNuMsu5 NXr2Hx7SHqGt+Jy5iMOSqLJSEy8HGlagLxb1VRoU/8qxaIOrs435lkoMWsBiwAwdphts DxLg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Return-Path: <devel-bounces@openvz.org> Received: from mail.openvz.org (mail.openvz.org. [185.231.241.50]) by mx.google.com with ESMTPS id r19si7205281lji.250.2020.11.18.00.49.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Nov 2020 00:49:02 -0800 (PST) Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) client-ip=185.231.241.50; Authentication-Results: mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Received: from localhost.localdomain (localhost [127.0.0.1]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id 0AI8mnPE012644; Wed, 18 Nov 2020 11:48:49 +0300 Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05lp2109.outbound.protection.outlook.com [104.47.17.109]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id 0AI8mmuP012641 for <devel@openvz.org>; Wed, 18 Nov 2020 11:48:48 +0300 Received: from AM5PR0701CA0071.eurprd07.prod.outlook.com (2603:10a6:203:2::33) by PR3PR08MB5753.eurprd08.prod.outlook.com (2603:10a6:102:87::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.28; Wed, 18 Nov 2020 08:48:50 +0000 Received: from HE1EUR01FT008.eop-EUR01.prod.protection.outlook.com (2603:10a6:203:2:cafe::77) by AM5PR0701CA0071.outlook.office365.com (2603:10a6:203:2::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.15 via Frontend Transport; Wed, 18 Nov 2020 08:48:49 +0000 Authentication-Results: spf=pass (sender IP is 185.231.240.75) smtp.mailfrom=virtuozzo.com; openvz.org; dkim=none (message not signed) header.d=none; openvz.org; dmarc=pass action=none header.from=virtuozzo.com; Received-SPF: Pass (protection.outlook.com: domain of virtuozzo.com designates 185.231.240.75 as permitted sender) receiver=protection.outlook.com; client-ip=185.231.240.75; helo=relay3.sw.ru; Received: from relay3.sw.ru (185.231.240.75) by HE1EUR01FT008.mail.protection.outlook.com (10.152.1.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20 via Frontend Transport; Wed, 18 Nov 2020 08:48:49 +0000 Received: from [172.16.53.199] (helo=vz7build.vvs.sw.ru) by relay3.sw.ru with esmtp (Exim 4.94) (envelope-from <vvs@virtuozzo.com>) id 1kfJ8o-0098Wp-23; Wed, 18 Nov 2020 11:48:38 +0300 Received: from vz7build.vvs.sw.ru (localhost [127.0.0.1]) by vz7build.vvs.sw.ru (8.14.7/8.14.7) with ESMTP id 0AI8mmsR031754; Wed, 18 Nov 2020 11:48:48 +0300 Received: (from vvs@localhost) by vz7build.vvs.sw.ru (8.14.7/8.14.7/Submit) id 0AI8mmBg031753; Wed, 18 Nov 2020 11:48:48 +0300 Date: Wed, 18 Nov 2020 11:48:48 +0300 Message-Id: <202011180848.0AI8mmBg031753@vz7build.vvs.sw.ru> X-Authentication-Warning: vz7build.vvs.sw.ru: vvs set sender to vvs@virtuozzo.com using -f From: Vasily Averin <vvs@virtuozzo.com> To: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com> In-Reply-to: <1605526752-777706-1-git-send-email-andrey.zhadchenko@virtuozzo.com> X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: 6df2bf34-ada4-4406-a192-08d88b9ec4bc X-MS-TrafficTypeDiagnostic: PR3PR08MB5753: X-Forefront-Antispam-Report: CIP:185.231.240.75; CTRY:RU; LANG:en; SCL:-1; SRV:; IPV:CAL; SFV:SKN; H:relay3.sw.ru; PTR:relay.sw.ru; CAT:NONE; SFS:; DIR:INB; X-MS-Oob-TLC-OOBClassifiers: OLM:873; X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?PmxJvEdHGnpRqFBPFGk8vMPCghlQEo7sA93IJ9wNshUljZpqOLus/LhYqjyS?= =?us-ascii?Q?EhMYk3vejjW56YYyI3xmRKrLjzg9YqniEilyKZF6+cDpIWssCWRn9hwMMjMb?= =?us-ascii?Q?JJxmtRJL1vY2v7tl4lEW6ClzPBM+MHHeGWdQn2+FTOOfWdiMrQVrix0luhWl?= =?us-ascii?Q?GHFz6xeaMWfBmUWPFIKiHoWnwZpmaiTuPcTNWNDGjeJo4TA3te0VmQ04wNw5?= =?us-ascii?Q?2DdwlLLKcCI/70zLe9/OCTTofiOFBkYFuHIyz/0Dqc2fi95oFBHkKD54VPOt?= =?us-ascii?Q?t8lw1P6c/8ZJKowXMcIS7Q09prFwKhd1pQ4fPJwLGylExqiXCj39R1o/gQgh?= =?us-ascii?Q?sg5KUrvNjpszco0GVUon3IohfWr2tPsQ2PvQfjNukaRy3qwAT135CIrv8358?= =?us-ascii?Q?pQNK4itvi+HXTv3u11OWHexGFKg8IxLXQ9IebC/+HhmhwfG20fxk9yNJzPF4?= =?us-ascii?Q?zdOnGF9tUMPR5FOVUufjQ00bv4AywX00XGK6vnlQlfznohsYM63UQG7ataeI?= =?us-ascii?Q?3GYI5kOxESdeMHT/DW7VRYE70d24aEQ4y+t1NDlYmscL7ZhOSS1znVBWKimW?= =?us-ascii?Q?/3a6IWdxy4pglj6CBxhrYfXHofwysVFu+fmLDEQrQ7AdV9wI/I43r6cKG2cF?= =?us-ascii?Q?nhqzbBsXDl2BPN/mJkegTpvVdCbeXt/vvQSltQNKrKmrZ48+2n5OxeTKWmtz?= =?us-ascii?Q?WZDTef14AVLoqb5PhNv2EJPKqO7vHaZr6Sq1HlSQiIpjdtP9lPsIso0RihyO?= =?us-ascii?Q?gsQncYDY1EsmATiqtmag4twZFbmyRRMS8QqN8bF506uopUo+U+rVyCtsD5Hw?= =?us-ascii?Q?aPejPOD9HIigy0yeANIYqY3nPtPpJ4bEQmriNhPGbvtFCiGD4iUTwbEYW0om?= =?us-ascii?Q?p7mMem2C6OHP5iL9dsu+1aBMrbzt8OAIBYxIg42/vn8ve+D2aqIEO4zqv7OR?= =?us-ascii?Q?SbzGThtawpa1voiY0gbaj6Cbc4Vdge7kMqit/oYk+WntnEg3i9CcMWlbSz0M?= =?us-ascii?Q?QSYueSRSPddBr4DJMoCsi3b8C/EXHw4ODrEdnvWgZ5C8qmPa1tIJmpKm57jx?= =?us-ascii?Q?2M1klr0qjdydQmd16r0/o8sHTMd1aqD1FLewiFOrL3Qq9FvNg8ce0KCNAhoh?= =?us-ascii?Q?WTTk2+XoTb1v7IAzsYZULGoEWpl8Mlt3YhUe7Xv2up8Cocdp2wDu381mN+Or?= =?us-ascii?Q?eYkES5Yhjn9ugz4DEjRPCew866GiBUXoc42x1eHR6cUl1tuA144qsqrW7qmc?= =?us-ascii?Q?p6zQGTpKhwy47Jjpgb8C0S9CjCu/TrcmMoI791+DtN49uHR3IYQh4mAUHKlE?= =?us-ascii?Q?JfQeUbXqbcKlSaGwK1A1guR1vsZRYiigwuqET1JlBYVsVdM4Mml60uABNOll?= =?us-ascii?Q?DAgoOUTz7TkHi8U3ZaxnvDlYHVqPeyGjv4m26easKDjdIB2viRlrU6zv6rQU?= =?us-ascii?Q?lhbYxxbu5x2TOb7GNw1ZTlRffqFNVzt7mzKL1IHIfxsmWLXhHXKfgWXMmTYf?= =?us-ascii?Q?Jh15u28Ihi8g0ys=3D?= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Nov 2020 08:48:49.4685 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6df2bf34-ada4-4406-a192-08d88b9ec4bc X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0bc7f26d-0264-416e-a6fc-8352af79c58f; Ip=[185.231.240.75]; Helo=[relay3.sw.ru] X-MS-Exchange-CrossTenant-AuthSource: HE1EUR01FT008.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5753 X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 185.231.240.75 X-MS-Exchange-CrossPremises-TransportTrafficType: Email X-MS-Exchange-CrossPremises-AuthSource: HE1EUR01FT008.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossPremises-AuthAs: Anonymous X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent X-OrganizationHeadersPreserved: PR3PR08MB5753.eurprd08.prod.outlook.com Cc: OpenVZ devel <devel@openvz.org> Subject: [Devel] [PATCH RHEL7 COMMIT] commoncap: relax setxattr and removxattr checks X-BeenThere: devel@openvz.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OpenVZ development <devel.openvz.org> List-Unsubscribe: <https://lists.openvz.org/mailman/options/devel>, <mailto:devel-request@openvz.org?subject=unsubscribe> List-Archive: <http://lists.openvz.org/pipermail/devel/> List-Post: <mailto:devel@openvz.org> List-Help: <mailto:devel-request@openvz.org?subject=help> List-Subscribe: <https://lists.openvz.org/mailman/listinfo/devel>, <mailto:devel-request@openvz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: devel-bounces@openvz.org Errors-To: devel-bounces@openvz.org |
diff --git a/security/commoncap.c b/security/commoncap.c index 6ce7b51..98d6a10 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -912,7 +912,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, return 0; if (!ns_capable(user_ns, CAP_SYS_ADMIN)) - return -EPERM; + if (!ve_capable(CAP_SYS_ADMIN)) + return -EPERM; return 0; } @@ -947,7 +948,8 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name) } if (!ns_capable(user_ns, CAP_SYS_ADMIN)) - return -EPERM; + if (!ve_capable(CAP_SYS_ADMIN)) + return -EPERM; return 0; }
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-1127.18.2.vz7.163.44 ------> commit 8aa6d07d2dc4d0388f145b497514587ffd905e65 Author: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com> Date: Wed Nov 18 11:48:48 2020 +0300 commoncap: relax setxattr and removxattr checks Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside of ve on external mounts (for example, root). https://jira.sw.ru/browse/PSBM-122071 Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com> --- security/commoncap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)