From 16b0e3313f53566481c106ace9992e477f8efe9b Mon Sep 17 00:00:00 2001 From: Adrian Calianu Date: Mon, 22 May 2017 08:43:50 +0200 Subject: patches: Boot time optimizations with ClearLinux patches Signed-off-by: Adrian Calianu Signed-off-by: Adrian Dudau --- ...-setting-user.-attributes-on-symlinks-by-.patch | 56 ++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 patches/boot_time_opt/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch (limited to 'patches/boot_time_opt/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch') diff --git a/patches/boot_time_opt/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch b/patches/boot_time_opt/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch new file mode 100644 index 0000000..70247a0 --- /dev/null +++ b/patches/boot_time_opt/0109-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch @@ -0,0 +1,56 @@ +From 4170571f7bb0897c90e13b2fcf3ee06990a9e774 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Thu, 10 Mar 2016 15:11:28 +0000 +Subject: [PATCH 109/124] xattr: allow setting user.* attributes on symlinks by + owner + +Kvmtool and clear containers supports using user attributes to label host +files with the virtual uid/guid of the file in the container. This allows an +end user to manage their files and a complete uid space without all the ugly +namespace stuff. + +The one gap in the support is symlinks because an end user can change the +ownership of a symbolic link. We support attributes on these files as you +can already (as root) set security attributes on them. + +The current rules seem slightly over-paranoid and as we have a use case this +patch enables updating the attributes on a symbolic link IFF you are the +owner of the synlink (as permissions are not usually meaningful on the link +itself). + +Signed-off-by: Alan Cox +--- + fs/xattr.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/xattr.c b/fs/xattr.c +index 2d13b4e62fae..580a5aeddfd2 100644 +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -118,15 +118,17 @@ xattr_permission(struct inode *inode, const char *name, int mask) + } + + /* +- * In the user.* namespace, only regular files and directories can have +- * extended attributes. For sticky directories, only the owner and +- * privileged users can write attributes. ++ * In the user.* namespace, only regular files, symbolic links, and ++ * directories can have extended attributes. For symbolic links and ++ * sticky directories, only the owner and privileged users can write ++ * attributes. + */ + if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { +- if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) ++ if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode)) + return (mask & MAY_WRITE) ? -EPERM : -ENODATA; +- if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && +- (mask & MAY_WRITE) && !inode_owner_or_capable(inode)) ++ if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX)) ++ || S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE) ++ && !inode_owner_or_capable(inode)) + return -EPERM; + } + +-- +2.11.1 + -- cgit v1.2.3-54-g00ecf