57 lines
2.2 KiB
Diff
57 lines
2.2 KiB
Diff
From c03fac43a4294098b01d6a0eadd824e6c79e70e6 Mon Sep 17 00:00:00 2001
|
|
From: Alan Cox <alan@linux.intel.com>
|
|
Date: Thu, 10 Mar 2016 15:11:28 +0000
|
|
Subject: [PATCH 14/22] xattr: allow setting user.* attributes on symlinks by
|
|
owner
|
|
|
|
Kvmtool and clear containers supports using user attributes to label host
|
|
files with the virtual uid/guid of the file in the container. This allows an
|
|
end user to manage their files and a complete uid space without all the ugly
|
|
namespace stuff.
|
|
|
|
The one gap in the support is symlinks because an end user can change the
|
|
ownership of a symbolic link. We support attributes on these files as you
|
|
can already (as root) set security attributes on them.
|
|
|
|
The current rules seem slightly over-paranoid and as we have a use case this
|
|
patch enables updating the attributes on a symbolic link IFF you are the
|
|
owner of the synlink (as permissions are not usually meaningful on the link
|
|
itself).
|
|
|
|
Signed-off-by: Alan Cox <alan@linux.intel.com>
|
|
---
|
|
fs/xattr.c | 14 ++++++++------
|
|
1 file changed, 8 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/fs/xattr.c b/fs/xattr.c
|
|
index ed8c3745..f48d608e 100644
|
|
--- a/fs/xattr.c
|
|
+++ b/fs/xattr.c
|
|
@@ -118,15 +118,17 @@ xattr_permission(struct inode *inode, const char *name, int mask)
|
|
}
|
|
|
|
/*
|
|
- * In the user.* namespace, only regular files and directories can have
|
|
- * extended attributes. For sticky directories, only the owner and
|
|
- * privileged users can write attributes.
|
|
+ * In the user.* namespace, only regular files, symbolic links, and
|
|
+ * directories can have extended attributes. For symbolic links and
|
|
+ * sticky directories, only the owner and privileged users can write
|
|
+ * attributes.
|
|
*/
|
|
if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
|
|
- if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
|
|
+ if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) && !S_ISLNK(inode->i_mode))
|
|
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
|
|
- if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
|
|
- (mask & MAY_WRITE) && !inode_owner_or_capable(inode))
|
|
+ if (((S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX))
|
|
+ || S_ISLNK(inode->i_mode)) && (mask & MAY_WRITE)
|
|
+ && !inode_owner_or_capable(inode))
|
|
return -EPERM;
|
|
}
|
|
|
|
--
|
|
2.11.0
|
|
|