[RHEL7,COMMIT] commoncap: relax setxattr and removxattr checks

Submitted by Vasily Averin on Nov. 18, 2020, 8:48 a.m.

Details

Message ID 202011180848.0AI8mmBg031753@vz7build.vvs.sw.ru
State New
Series "commoncap: relax setxattr and removexattr checks"
Headers show

Commit Message

Vasily Averin Nov. 18, 2020, 8:48 a.m.
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.44
------>
commit 8aa6d07d2dc4d0388f145b497514587ffd905e65
Author: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
Date:   Wed Nov 18 11:48:48 2020 +0300

    commoncap: relax setxattr and removxattr checks
    
    Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside
    of ve on external mounts (for example, root).
    
    https://jira.sw.ru/browse/PSBM-122071
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
---
 security/commoncap.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/security/commoncap.c b/security/commoncap.c
index 6ce7b51..98d6a10 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -912,7 +912,8 @@  int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		return 0;
 
 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
+		if (!ve_capable(CAP_SYS_ADMIN))
+			return -EPERM;
 	return 0;
 }
 
@@ -947,7 +948,8 @@  int cap_inode_removexattr(struct dentry *dentry, const char *name)
 	}
 
 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
+		if (!ve_capable(CAP_SYS_ADMIN))
+			return -EPERM;
 	return 0;
 }