We have same check in ext2_xattr_trusted_list, ext3_xattr_trusted_list, hfsplus_listxattr and more, all together ~15 places. Do we need list only on ext4? Maybe we can be good with only getxattr allowed without list?

On 09/21/2016 01:56 AM, Maxim Patlasov wrote:
Commit 4f7ce4dd4741cb65df018028aaefedb298915aa6:

Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
ve/xattr: allow to set trusted.xxx for container admin

relaxed capability check on setxattr path, but overlooked
to do the same on getxattr path. Hence, container admin
became able to set trusted xattrs, but not seeing them:

# setfattr -h -n trusted.name file
# echo $?
# getfattr -dm- file

This broke generic/062 from xfstests.


Signed-off-by: Maxim Patlasov <mpatla...@virtuozzo.com>
 fs/ext4/xattr_trusted.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/xattr_trusted.c b/fs/ext4/xattr_trusted.c
index 95f1f4a..49dd83f 100644
--- a/fs/ext4/xattr_trusted.c
+++ b/fs/ext4/xattr_trusted.c
@@ -19,7 +19,7 @@ ext4_xattr_trusted_list(struct dentry *dentry, char *list, 
size_t list_size,
        const size_t prefix_len = XATTR_TRUSTED_PREFIX_LEN;
        const size_t total_len = prefix_len + name_len + 1;

-       if (!capable(CAP_SYS_ADMIN))
+       if (!ve_capable(CAP_SYS_ADMIN))
                return 0;

        if (list && total_len <= list_size) {

Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
Devel mailing list

Reply via email to