diff options
Diffstat (limited to 'patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch')
-rw-r--r-- | patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch b/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch new file mode 100644 index 0000000..75960ce --- /dev/null +++ b/patches/boot_time_opt_guest/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Cox <alan@linux.intel.com> | ||
3 | Date: Thu, 10 Mar 2016 15:11:28 +0000 | ||
4 | Subject: [PATCH] xattr: allow setting user.* attributes on symlinks by owner | ||
5 | |||
6 | Kvmtool and clear containers supports using user attributes to label host | ||
7 | files with the virtual uid/guid of the file in the container. This allows an | ||
8 | end user to manage their files and a complete uid space without all the ugly | ||
9 | namespace stuff. | ||
10 | |||
11 | The one gap in the support is symlinks because an end user can change the | ||
12 | ownership of a symbolic link. We support attributes on these files as you | ||
13 | can already (as root) set security attributes on them. | ||
14 | |||
15 | The current rules seem slightly over-paranoid and as we have a use case this | ||
16 | patch enables updating the attributes on a symbolic link IFF you are the | ||
17 | owner of the synlink (as permissions are not usually meaningful on the link | ||
18 | itself). | ||
19 | |||
20 | Signed-off-by: Alan Cox <alan@linux.intel.com> | ||
21 | --- | ||
22 | fs/xattr.c | 14 ++++++++------ | ||
23 | 1 file changed, 8 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/fs/xattr.c b/fs/xattr.c | ||
26 | index 386b45676d7e..cabada890bae 100644 | ||
27 | --- a/fs/xattr.c | ||
28 | +++ b/fs/xattr.c | ||
29 | @@ -119,15 +119,17 @@ xattr_permission(struct inode *inode, const char *name, int mask) | ||
30 | } | ||
31 | |||
32 | /* | ||
33 | - * In the user.* namespace, only regular files and directories can have | ||
34 | - * extended attributes. For sticky directories, only the owner and | ||
35 | - * privileged users can write attributes. | ||
36 | + * In the user.* namespace, only regular files, symbolic links, and | ||
37 | + * directories can have extended attributes. For symbolic links and | ||
38 | + * sticky directories, only the owner and privileged users can write | ||
39 | + * attributes. | ||
40 | */ | ||
41 | if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { | ||
42 | - if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) | ||
43 | + if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode)) | ||
44 | return (mask & MAY_WRITE) ? -EPERM : -ENODATA; | ||
45 | - if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && | ||
46 | - (mask & MAY_WRITE) && !inode_owner_or_capable(inode)) | ||
47 | + if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX)) | ||
48 | + || S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE) | ||
49 | + && !inode_owner_or_capable(inode)) | ||
50 | return -EPERM; | ||
51 | } | ||
52 | |||
53 | -- | ||
54 | https://clearlinux.org | ||
55 | |||