Kirill, please review. i don't see any danger in allowing this. Do you?
-- Best regards, Konstantin Khorenko, Virtuozzo Linux Kernel Team On 01/21/2016 03:16 PM, Pavel Tikhomirov wrote:
Need it as in CT for some packages rpm install sets security.capability xattr e.g.: file /usr/bin/ping, package iputils. That is temporary decision as it is not completely safe to do so as: One without caps can create new user namespace enter it and have all caps in it, after that add security.capability to some binary file, logout userns and use these binary to get all caps in root user namespace. When patches below will get into mainstream porting them will fix it: [PATCH v4 0/7] Initial support for user namespace owned mounts [PATCH v2 03/18] fs: Treat foreign mounts as nosuid [PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns to set security.* xattrs https://jira.sw.ru/browse/PSBM-43267 Signed-off-by: Pavel Tikhomirov <[email protected]> --- security/commoncap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 3a7003d..af80f74 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -624,7 +624,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ve_capable(CAP_SETFCAP)) return -EPERM; return 0; } @@ -650,7 +650,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, int cap_inode_removexattr(struct dentry *dentry, const char *name) { if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ve_capable(CAP_SETFCAP)) return -EPERM; return 0; }
_______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
