On Wed, Oct 07, 2015 at 11:51:07AM +0300, Pavel Tikhomirov wrote:
> This reverts commit 750558eb81ef22527ee1d5fc5b5081410cffda29.
Pls, write commit message with explanation why do we need this changes.
In this case we need to find out who drop this capabilities. I think
vzctl does this. You can look at CAPDEFAULTMASK in libvzctl. Now we use
userns and a container can have all capabilites by default.
Thanks.
>
> Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
> ---
> security/commoncap.c | 37 ++++++++++++++++++++++++++++++-------
> 1 file changed, 30 insertions(+), 7 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 3a7003d..9d0a2b6 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -248,30 +248,53 @@ int cap_capset(struct cred *new,
> const kernel_cap_t *inheritable,
> const kernel_cap_t *permitted)
> {
> + kernel_cap_t ve_effective = *effective;
> + kernel_cap_t ve_inheritable = *inheritable;
> + kernel_cap_t ve_permitted = *permitted;
> +
> + if (!ve_is_super(get_exec_env())) {
> + if (cap_raised(old->cap_effective, CAP_SETPCAP)) {
> + /*
> + * Ignore all not allowed caps in CT
> + */
> + printk_once("Drop not allowed caps in CT. Docker? - "
> + "Will fix when switch to user
> namespaces.\n");
> + if (cap_inh_is_capped())
> + ve_inheritable = cap_intersect(ve_inheritable,
> +
> cap_combine(old->cap_inheritable,
> +
> old->cap_permitted));
> + ve_inheritable = cap_intersect(ve_inheritable,
> +
> cap_combine(old->cap_inheritable,
> +
> old->cap_bset));
> + ve_permitted = cap_intersect(ve_permitted,
> old->cap_permitted);
> + ve_effective = cap_intersect(ve_effective,
> ve_permitted);
> + }
> + }
> +
> if (cap_inh_is_capped() &&
> - !cap_issubset(*inheritable,
> + !cap_issubset(ve_inheritable,
> cap_combine(old->cap_inheritable,
> old->cap_permitted)))
> /* incapable of using this inheritable set */
> return -EPERM;
>
> - if (!cap_issubset(*inheritable,
> + if (!cap_issubset(ve_inheritable,
> cap_combine(old->cap_inheritable,
> old->cap_bset)))
> /* no new pI capabilities outside bounding set */
> return -EPERM;
>
> /* verify restrictions on target's new Permitted set */
> - if (!cap_issubset(*permitted, old->cap_permitted))
> + if (!cap_issubset(ve_permitted, old->cap_permitted))
> return -EPERM;
>
> /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
> - if (!cap_issubset(*effective, *permitted))
> + if (!cap_issubset(ve_effective, ve_permitted))
> return -EPERM;
>
> - new->cap_effective = *effective;
> - new->cap_inheritable = *inheritable;
> - new->cap_permitted = *permitted;
> + new->cap_effective = ve_effective;
> + new->cap_inheritable = ve_inheritable;
> + new->cap_permitted = ve_permitted;
> return 0;
> }
>
> --
> 1.9.3
>
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
