On 21.01.2016 15:16, Pavel Tikhomirov wrote: > Need it as in CT for some packages rpm install sets security.capability > xattr e.g.: file /usr/bin/ping, package iputils. > > That is temporary decision as it is not completely safe to do so as: > > One without caps can create new user namespace enter it and have all > caps in it, after that add security.capability to some binary file, > logout userns and use these binary to get all caps in root user > namespace. > > When patches below will get into mainstream porting them will fix it: > [PATCH v4 0/7] Initial support for user namespace owned mounts > [PATCH v2 03/18] fs: Treat foreign mounts as nosuid > [PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns to set > security.* xattrs
Will waiting for them with this temporary solution. > https://jira.sw.ru/browse/PSBM-43267 > Signed-off-by: Pavel Tikhomirov <[email protected]> Reviewed-by: Kirill Tkhai <[email protected]> > --- > security/commoncap.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/commoncap.c b/security/commoncap.c > index 3a7003d..af80f74 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -624,7 +624,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char > *name, > const void *value, size_t size, int flags) > { > if (!strcmp(name, XATTR_NAME_CAPS)) { > - if (!capable(CAP_SETFCAP)) > + if (!ve_capable(CAP_SETFCAP)) > return -EPERM; > return 0; > } > @@ -650,7 +650,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char > *name, > int cap_inode_removexattr(struct dentry *dentry, const char *name) > { > if (!strcmp(name, XATTR_NAME_CAPS)) { > - if (!capable(CAP_SETFCAP)) > + if (!ve_capable(CAP_SETFCAP)) > return -EPERM; > return 0; > } > _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
