1 files changed, 56 insertions, 0 deletions
diff --git a/patches/boot_time_opt_guest/0114-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch b/patches/boot_time_opt_guest/0114-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
new file mode 100644
index 0000000..dee9058
--- /dev/null
+++ b/patches/boot_time_opt_guest/0114-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
@@ -0,0 +1,56 @@
+From 02fd2e6a7c708bf973209f9b238c5c61cbf15239 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Thu, 10 Mar 2016 15:11:28 +0000
+Subject: [PATCH 114/114] xattr: allow setting user.* attributes on symlinks by
+ owner
+Kvmtool and clear containers supports using user attributes to label host
+files with the virtual uid/guid of the file in the container. This allows an
+end user to manage their files and a complete uid space without all the ugly
+namespace stuff.
+The one gap in the support is symlinks because an end user can change the
+ownership of a symbolic link. We support attributes on these files as you
+can already (as root) set security attributes on them.
+The current rules seem slightly over-paranoid and as we have a use case this
+patch enables updating the attributes on a symbolic link IFF you are the
+owner of the synlink (as permissions are not usually meaningful on the link
+itself).
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+---
+ fs/xattr.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+diff --git a/fs/xattr.c b/fs/xattr.c
+index 7e3317cf4045..e005c30acb2c 100644
+--- a/fs/xattr.c
+++ b/fs/xattr.c
+@@ -118,15 +118,17 @@ xattr_permission(struct inode *inode, const char *name, int mask)
+        }
+ 
+        /*
+-        * In the user.* namespace, only regular files and directories can have
+-        * extended attributes. For sticky directories, only the owner and
+-        * privileged users can write attributes.
+        * In the user.* namespace, only regular files, symbolic links, and
+        * directories can have extended attributes. For symbolic links and
+        * sticky directories, only the owner and privileged users can write
+        * attributes.
+         */
+        if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
+-               if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
+               if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode))
+                        return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
+-               if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
+-                   (mask & MAY_WRITE) && !inode_owner_or_capable(inode))
+               if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX))
+                       || S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE)
+                       && !inode_owner_or_capable(inode))
+                        return -EPERM;
+        }
+ 
+-- 
+2.11.1

diff --git a/patches/boot_time_opt_guest/0114-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch b/patches/boot_time_opt_guest/0114-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch new file mode 100644 index 0000000..dee9058 --- /dev/null +++ b/patches/boot_time_opt_guest/0114-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
@@ -0,0 +1,56 @@
	1	From 02fd2e6a7c708bf973209f9b238c5c61cbf15239 Mon Sep 17 00:00:00 2001
	2	From: Alan Cox <alan@linux.intel.com>
	3	Date: Thu, 10 Mar 2016 15:11:28 +0000
	4	Subject: [PATCH 114/114] xattr: allow setting user.* attributes on symlinks by
	5	owner
	6
	7	Kvmtool and clear containers supports using user attributes to label host
	8	files with the virtual uid/guid of the file in the container. This allows an
	9	end user to manage their files and a complete uid space without all the ugly
	10	namespace stuff.
	11
	12	The one gap in the support is symlinks because an end user can change the
	13	ownership of a symbolic link. We support attributes on these files as you
	14	can already (as root) set security attributes on them.
	15
	16	The current rules seem slightly over-paranoid and as we have a use case this
	17	patch enables updating the attributes on a symbolic link IFF you are the
	18	owner of the synlink (as permissions are not usually meaningful on the link
	19	itself).
	20
	21	Signed-off-by: Alan Cox <alan@linux.intel.com>
	22	---
	23	fs/xattr.c \| 14 ++++++++------
	24	1 file changed, 8 insertions(+), 6 deletions(-)
	25
	26	diff --git a/fs/xattr.c b/fs/xattr.c
	27	index 7e3317cf4045..e005c30acb2c 100644
	28	--- a/fs/xattr.c
	29	+++ b/fs/xattr.c
	30	@@ -118,15 +118,17 @@ xattr_permission(struct inode inode, const char name, int mask)
	31	}
	32
	33	/*
	34	- * In the user.* namespace, only regular files and directories can have
	35	- * extended attributes. For sticky directories, only the owner and
	36	- * privileged users can write attributes.
	37	+ * In the user.* namespace, only regular files, symbolic links, and
	38	+ * directories can have extended attributes. For symbolic links and
	39	+ * sticky directories, only the owner and privileged users can write
	40	+ * attributes.
	41	*/
	42	if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
	43	- if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
	44	+ if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode))
	45	return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
	46	- if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
	47	- (mask & MAY_WRITE) && !inode_owner_or_capable(inode))
	48	+ if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX))
	49	+ \|\| S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE)
	50	+ && !inode_owner_or_capable(inode))
	51	return -EPERM;
	52	}
	53
	54	--
	55	2.11.1
	56