The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit c998ef1c28dc8c090b27e1917537a2b5fc2de77e
Author: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
Date: Wed Oct 20 11:40:41 2021 +0300
commoncap: relax setxattr and removxattr checks
Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside
of ve on external mounts (for example, root).
https://jira.sw.ru/browse/PSBM-122071
Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
Cherry-picked from vz7 commit d92402f6a7c9 ("commoncap: relax setxattr and
removxattr checks")
Signed-off-by: Valeriy Vdovin <valeriy.vdo...@virtuozzo.com>
(cherry picked from vz8 commit 22dfe21e51e1bca0d420df7abc8e1a1eb0491a0d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
security/commoncap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index 3f810d37b71b..ae3799afd850 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1007,7 +1007,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char
*name,
return 0;
if (!ns_capable(user_ns, CAP_SYS_ADMIN))
- return -EPERM;
+ if (!ve_capable(CAP_SYS_ADMIN))
+ return -EPERM;
return 0;
}
@@ -1051,7 +1052,8 @@ int cap_inode_removexattr(struct user_namespace
*mnt_userns,
}
if (!ns_capable(user_ns, CAP_SYS_ADMIN))
- return -EPERM;
+ if (!ve_capable(CAP_SYS_ADMIN))
+ return -EPERM;
return 0;
}
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
