]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commitdiff
projects / mirror_ubuntu-artful-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 99d014a)
Revert "(namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set...
authorLuis Henriques <luis.henriques@canonical.com>
Wed, 23 Nov 2016 10:00:23 +0000 (10:00 +0000)
committerLuis Henriques <luis.henriques@canonical.com>
Wed, 23 Nov 2016 10:14:05 +0000 (10:14 +0000)
BugLink: https://bugs.launchpad.net/bugs/1644165
This reverts commit db19ff87e3f993e46217f369a066f9d1d4691df8.

The kernel fix for bug #1634964 breaks LXD userspace, in particular the
following commits:

ac7f3f73cb39 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs
ca52383ad6a6 (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs

LXD 2.0.6 will include changes to support these kernel changes, but it isn't
available yet on xenial, so for now we just revert these commits.

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
security/integrity/evm/evm_main.c patch | blob | blame | history
security/integrity/ima/ima_appraise.c patch | blob | blame | history

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 3d145a3ffccff3a417a40321e66b11a838c13e53..91449adad38e3571061a5818569536c4f811376c 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -279,7 +279,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
        enum integrity_status evm_status;
 
        if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
-               if (!capable(CAP_SYS_ADMIN))
+               if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
                        return -EPERM;
        } else if (!evm_protected_xattr(xattr_name)) {
                if (!posix_xattr_acl(xattr_name))
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index ed5a9c110b3a2238025a3be9d4a58787ceaea230..bef95aab9819778c397541ccc2804d3416a8bc8a 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -345,7 +345,7 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
                             const void *xattr_value, size_t xattr_value_len)
 {
        if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
-               if (!capable(CAP_SYS_ADMIN))
+               if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
                        return -EPERM;
                return 1;
        }
Ubuntu Artful kernel mirror