[Devel,RHEL7,COMMIT] ve/xattr: allow to set trusted.xxx for container admin

Submitted by Konstantin Khorenko on Sept. 8, 2016, 9 a.m.

Details

Message ID 201609080900.u8890rVj002835@finist_cl7.x64_64.work.ct
State New
Series "Series without cover letter"
Headers show

Commit Message

Konstantin Khorenko Sept. 8, 2016, 9 a.m.
The commit is pushed to "branch-rh7-3.10.0-327.28.2.vz7.17.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.28.2.vz7.17.4
------>
commit 4f7ce4dd4741cb65df018028aaefedb298915aa6
Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date:   Thu Sep 8 13:00:53 2016 +0400

    ve/xattr: allow to set trusted.xxx for container admin
    
    Attributes trusted.xxx are used in userspace mechanisms
    which want to keep information in extended attributes to
    which ordinary process has no access.
    
    We can't check them all, but here is hope that such
    mechanisms on host and in CT won't intersect, because
    most likely we won't find the process from host which
    sets xattrs on container files through /vz/root/<ctid>,
    except the case with trusted.pfcache which is covered in
    previous patch.
    
    https://jira.sw.ru/browse/PSBM-51102
    https://bugs.openvz.org/browse/OVZ-6791
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 fs/xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/xattr.c b/fs/xattr.c
index 3377dff..d49ea1b 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -52,7 +52,7 @@  xattr_permission(struct inode *inode, const char *name, int mask)
 	 * The trusted.* namespace can only be accessed by privileged users.
 	 */
 	if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ve_capable(CAP_SYS_ADMIN))
 			return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
 		return 0;
 	}