-
Notifications
You must be signed in to change notification settings - Fork 59
/
0117-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
56 lines (48 loc) · 2.25 KB
/
0117-xattr-allow-setting-user.-attributes-on-symlinks-by-.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alan Cox <[email protected]>
Date: Thu, 10 Mar 2016 15:11:28 +0000
Subject: [PATCH] xattr: allow setting user.* attributes on symlinks by owner
Kvmtool and clear containers supports using user attributes to label host
files with the virtual uid/guid of the file in the container. This allows an
end user to manage their files and a complete uid space without all the ugly
namespace stuff.
The one gap in the support is symlinks because an end user can change the
ownership of a symbolic link. We support attributes on these files as you
can already (as root) set security attributes on them.
The current rules seem slightly over-paranoid and as we have a use case this
patch enables updating the attributes on a symbolic link IFF you are the
owner of the synlink (as permissions are not usually meaningful on the link
itself).
Signed-off-by: Alan Cox <[email protected]>
---
fs/xattr.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 998045165916..62b6fb4dedee 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -120,16 +120,17 @@ xattr_permission(struct user_namespace *mnt_userns, struct inode *inode,
}
/*
- * In the user.* namespace, only regular files and directories can have
- * extended attributes. For sticky directories, only the owner and
- * privileged users can write attributes.
+ * In the user.* namespace, only regular files, symbolic links, and
+ * directories can have extended attributes. For symbolic links and
+ * sticky directories, only the owner and privileged users can write
+ * attributes.
*/
if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
- if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
+ if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode))
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
- if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
- (mask & MAY_WRITE) &&
- !inode_owner_or_capable(idmap, inode))
+ if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX))
+ || S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE)
+ && !inode_owner_or_capable(idmap, inode))
return -EPERM;
}
--
https://clearlinux.org