Commit 4c964935 authored by Luis Henriques's avatar Luis Henriques

Revert "(namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs""

BugLink: https://bugs.launchpad.net/bugs/1644165

This reverts commit db19ff87.

The kernel fix for bug #1634964 breaks LXD userspace, in particular the
following commits:

ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs
ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs

LXD 2.0.6 will include changes to support these kernel changes, but it isn't
available yet on xenial, so for now we just revert these commits.
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 99d014a4
...@@ -279,7 +279,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, ...@@ -279,7 +279,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
enum integrity_status evm_status; enum integrity_status evm_status;
if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
if (!capable(CAP_SYS_ADMIN)) if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
return -EPERM; return -EPERM;
} else if (!evm_protected_xattr(xattr_name)) { } else if (!evm_protected_xattr(xattr_name)) {
if (!posix_xattr_acl(xattr_name)) if (!posix_xattr_acl(xattr_name))
......
...@@ -345,7 +345,7 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, ...@@ -345,7 +345,7 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
const void *xattr_value, size_t xattr_value_len) const void *xattr_value, size_t xattr_value_len)
{ {
if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) { if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
if (!capable(CAP_SYS_ADMIN)) if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
return -EPERM; return -EPERM;
return 1; return 1;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment