• Eric W. Biederman's avatar
    capabilities: Allow privileged user in s_user_ns to set security.* xattrs · b1d749c5
    Eric W. Biederman authored
    A privileged user in s_user_ns will generally have the ability to
    manipulate the backing store and insert security.* xattrs into
    the filesystem directly. Therefore the kernel must be prepared to
    handle these xattrs from unprivileged mounts, and it makes little
    sense for commoncap to prevent writing these xattrs to the
    filesystem. The capability and LSM code have already been updated
    to appropriately handle xattrs from unprivileged mounts, so it
    is safe to loosen this restriction on setting xattrs.
    The exception to this logic is that writing xattrs to a mounted
    filesystem may also cause the LSM inode_post_setxattr or
    inode_setsecurity callbacks to be invoked. SELinux will deny the
    xattr update by virtue of applying mountpoint labeling to
    unprivileged userns mounts, and Smack will deny the writes for
    any user without global CAP_MAC_ADMIN, so loosening the
    capability check in commoncap is safe in this respect as well.
    Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
    Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
    Acked-by: default avatarChristian Brauner <christian@brauner.io>
    Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
commoncap.c 39.1 KB