[Devel,RHEL7,COMMIT] ve/xattr: prohibit getxattr/setxattr trusted.pfcache

Submitted by Konstantin Khorenko on Sept. 8, 2016, 9 a.m.


Message ID 201609080900.u8890qdO002741@finist_cl7.x64_64.work.ct
State New
Series "Series without cover letter"
Headers show

Commit Message

Konstantin Khorenko Sept. 8, 2016, 9 a.m.
The commit is pushed to "branch-rh7-3.10.0-327.28.2.vz7.17.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.28.2.vz7.17.4
commit f7f54bba40e2d7cfa3098a2d2283180192a138b0
Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date:   Thu Sep 8 13:00:46 2016 +0400

    ve/xattr: prohibit getxattr/setxattr trusted.pfcache
    We have same behaviour for trusted.pfcache in VZ6
    (in CT set and get are prohibited) and want to preserve it
    after we'll allow all other trusted.xxx in next patch.
    Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
 fs/ext4/pfcache.c | 6 ++++++
 1 file changed, 6 insertions(+)

Patch hide | download patch | download mbox

diff --git a/fs/ext4/pfcache.c b/fs/ext4/pfcache.c
index 5f2a3bd..ff2300b 100644
--- a/fs/ext4/pfcache.c
+++ b/fs/ext4/pfcache.c
@@ -654,6 +654,9 @@  static int ext4_xattr_trusted_csum_get(struct dentry *dentry, const char *name,
 	if (!test_opt2(inode->i_sb, PFCACHE_CSUM))
 		return -EOPNOTSUPP;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (S_ISDIR(inode->i_mode))
 		return ext4_xattr_get(inode, EXT4_XATTR_INDEX_TRUSTED,
 				      EXT4_DATA_CSUM_NAME, buffer, size);
@@ -702,6 +705,9 @@  static int ext4_xattr_trusted_csum_set(struct dentry *dentry, const char *name,
 	if (!test_opt2(inode->i_sb, PFCACHE_CSUM))
 		return -EOPNOTSUPP;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (S_ISDIR(inode->i_mode)) {
 		if (!value)
 			ext4_clear_inode_state(inode, EXT4_STATE_PFCACHE_CSUM);