[vpsAdminOS] userns trusted xattr

vpsfreecz · Oct 4, 2019 · f9ad799 · f9ad799
1 parent e472c16
commit f9ad799
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/include/os/linux/kernel/linux/xattr_compat.h b/include/os/linux/kernel/linux/xattr_compat.h
@@ -27,6 +27,7 @@
 #define	_ZFS_XATTR_H
 
 #include <linux/posix_acl_xattr.h>
+#include <linux/user_namespace.h>
 
 /*
  * 2.6.35 API change,

diff --git a/module/os/linux/zfs/zpl_xattr.c b/module/os/linux/zfs/zpl_xattr.c
@@ -752,11 +752,23 @@ xattr_handler_t zpl_xattr_user_handler =
  * the kernel) which keep information in extended attributes to which
  * ordinary processes should not have access." - xattr(7)
  */
+bool __xattr_trusted(void)
+{
+	struct user_namespace *ns = current_user_ns();
+	if (((ns == &init_user_ns) || (ns->parent == &init_user_ns)) &&
+	    ns_capable(ns, CAP_SYS_ADMIN))
+		return true;
+	printk(KERN_INFO "ZFS: __xattr_trusted() failed for pid %d\n",
+			current->pid);
+	return false;
+}
+
+
 static int
 __zpl_xattr_trusted_list(struct inode *ip, char *list, size_t list_size,
     const char *name, size_t name_len)
 {
-	return (capable(CAP_SYS_ADMIN));
+	return __xattr_trusted();
 }
 ZPL_XATTR_LIST_WRAPPER(zpl_xattr_trusted_list);
 
@@ -767,7 +779,7 @@ __zpl_xattr_trusted_get(struct inode *ip, const char *name,
 	char *xattr_name;
 	int error;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!__xattr_trusted())
 		return (-EACCES);
 	/* xattr_resolve_name will do this for us if this is defined */
 #ifndef HAVE_XATTR_HANDLER_NAME
@@ -789,7 +801,7 @@ __zpl_xattr_trusted_set(struct inode *ip, const char *name,
 	char *xattr_name;
 	int error;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!__xattr_trusted())
 		return (-EACCES);
 	/* xattr_resolve_name will do this for us if this is defined */
 #ifndef HAVE_XATTR_HANDLER_NAME