[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] LXC: capset fails with userns



for me there is no valid reason why a container is not allowed to set
file capabilities.

and here is the patch (send to Eric W. Biederman <ebiederm xmission com>)

works for me

-- 
Software is like sex, it's better when it's free!
Subject: [PATCH] capability: allow setxattr within userns

a lxc container with user namespace enabled can not set file capabilities.

every yum install <pkg> where the pkg has file capabilities fails with

  Error unpacking rpm package <PKG>
  error: unpacking of archive failed on file <FILE>: cpio: cap_set_file

for me there is no valid reason why a container is not allowed to set
file capabilities

Signed-off-by: Stephan Sachse <sachse nugmbh de>
---
 security/commoncap.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index b9d613e..9efdbef 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -621,14 +621,14 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		       const void *value, size_t size, int flags)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(current_user_ns(), CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
@@ -647,14 +647,14 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 int cap_inode_removexattr(struct dentry *dentry, const char *name)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(current_user_ns(), CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
-- 
1.8.5.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]