Allow user to set security xattr (XATTR_SECURITY_PREFIX) from the inside of ve on external mounts (for example, root).
https://jira.sw.ru/browse/PSBM-122071 Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> Cherry-picked from vz7 commit d92402f6a7c9 ("commoncap: relax setxattr and removxattr checks") Signed-off-by: Valeriy Vdovin <valeriy.vdo...@virtuozzo.com> (cherry picked from vz8 commit 22dfe21e51e1bca0d420df7abc8e1a1eb0491a0d) Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> --- security/commoncap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 3f810d3..ae3799a 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1007,7 +1007,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, return 0; if (!ns_capable(user_ns, CAP_SYS_ADMIN)) - return -EPERM; + if (!ve_capable(CAP_SYS_ADMIN)) + return -EPERM; return 0; } @@ -1051,7 +1052,8 @@ int cap_inode_removexattr(struct user_namespace *mnt_userns, } if (!ns_capable(user_ns, CAP_SYS_ADMIN)) - return -EPERM; + if (!ve_capable(CAP_SYS_ADMIN)) + return -EPERM; return 0; } -- 1.8.3.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel