1 files changed, 55 insertions, 0 deletions
diff --git a/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch b/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
new file mode 100644
index 0000000..75960ce
--- /dev/null
+++ b/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Thu, 10 Mar 2016 15:11:28 +0000
+Subject: [PATCH] xattr: allow setting user.* attributes on symlinks by owner
+Kvmtool and clear containers supports using user attributes to label host
+files with the virtual uid/guid of the file in the container. This allows an
+end user to manage their files and a complete uid space without all the ugly
+namespace stuff.
+The one gap in the support is symlinks because an end user can change the
+ownership of a symbolic link. We support attributes on these files as you
+can already (as root) set security attributes on them.
+The current rules seem slightly over-paranoid and as we have a use case this
+patch enables updating the attributes on a symbolic link IFF you are the
+owner of the synlink (as permissions are not usually meaningful on the link
+itself).
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+---
+ fs/xattr.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+diff --git a/fs/xattr.c b/fs/xattr.c
+index 386b45676d7e..cabada890bae 100644
+--- a/fs/xattr.c
+++ b/fs/xattr.c
+@@ -119,15 +119,17 @@ xattr_permission(struct inode *inode, const char *name, int mask)
+        }
+ 
+        /*
+-        * In the user.* namespace, only regular files and directories can have
+-        * extended attributes. For sticky directories, only the owner and
+-        * privileged users can write attributes.
+        * In the user.* namespace, only regular files, symbolic links, and
+        * directories can have extended attributes. For symbolic links and
+        * sticky directories, only the owner and privileged users can write
+        * attributes.
+         */
+        if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
+-               if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
+               if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode))
+                        return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
+-               if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
+-                   (mask & MAY_WRITE) && !inode_owner_or_capable(inode))
+               if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX))
+                       || S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE)
+                       && !inode_owner_or_capable(inode))
+                        return -EPERM;
+        }
+ 
+-- 
+https://clearlinux.org

diff --git a/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch b/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch new file mode 100644 index 0000000..75960ce --- /dev/null +++ b/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
@@ -0,0 +1,55 @@
	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Alan Cox <alan@linux.intel.com>
	3	Date: Thu, 10 Mar 2016 15:11:28 +0000
	4	Subject: [PATCH] xattr: allow setting user.* attributes on symlinks by owner
	5
	6	Kvmtool and clear containers supports using user attributes to label host
	7	files with the virtual uid/guid of the file in the container. This allows an
	8	end user to manage their files and a complete uid space without all the ugly
	9	namespace stuff.
	10
	11	The one gap in the support is symlinks because an end user can change the
	12	ownership of a symbolic link. We support attributes on these files as you
	13	can already (as root) set security attributes on them.
	14
	15	The current rules seem slightly over-paranoid and as we have a use case this
	16	patch enables updating the attributes on a symbolic link IFF you are the
	17	owner of the synlink (as permissions are not usually meaningful on the link
	18	itself).
	19
	20	Signed-off-by: Alan Cox <alan@linux.intel.com>
	21	---
	22	fs/xattr.c \| 14 ++++++++------
	23	1 file changed, 8 insertions(+), 6 deletions(-)
	24
	25	diff --git a/fs/xattr.c b/fs/xattr.c
	26	index 386b45676d7e..cabada890bae 100644
	27	--- a/fs/xattr.c
	28	+++ b/fs/xattr.c
	29	@@ -119,15 +119,17 @@ xattr_permission(struct inode inode, const char name, int mask)
	30	}
	31
	32	/*
	33	- * In the user.* namespace, only regular files and directories can have
	34	- * extended attributes. For sticky directories, only the owner and
	35	- * privileged users can write attributes.
	36	+ * In the user.* namespace, only regular files, symbolic links, and
	37	+ * directories can have extended attributes. For symbolic links and
	38	+ * sticky directories, only the owner and privileged users can write
	39	+ * attributes.
	40	*/
	41	if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
	42	- if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
	43	+ if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode))
	44	return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
	45	- if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
	46	- (mask & MAY_WRITE) && !inode_owner_or_capable(inode))
	47	+ if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX))
	48	+ \|\| S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE)
	49	+ && !inode_owner_or_capable(inode))
	50	return -EPERM;
	51	}
	52
	53	--
	54	https://clearlinux.org
	55