diff options
Diffstat (limited to 'fs/xattr.c')
| -rw-r--r-- | fs/xattr.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/fs/xattr.c b/fs/xattr.c index f1ef94974dea..f060663ab70c 100644 --- a/fs/xattr.c +++ b/fs/xattr.c | |||
| @@ -46,18 +46,22 @@ xattr_permission(struct inode *inode, const char *name, int mask) | |||
| 46 | return 0; | 46 | return 0; |
| 47 | 47 | ||
| 48 | /* | 48 | /* |
| 49 | * The trusted.* namespace can only be accessed by a privileged user. | 49 | * The trusted.* namespace can only be accessed by privileged users. |
| 50 | */ | 50 | */ |
| 51 | if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) | 51 | if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { |
| 52 | return (capable(CAP_SYS_ADMIN) ? 0 : -EPERM); | 52 | if (!capable(CAP_SYS_ADMIN)) |
| 53 | return (mask & MAY_WRITE) ? -EPERM : -ENODATA; | ||
| 54 | return 0; | ||
| 55 | } | ||
| 53 | 56 | ||
| 54 | /* In user.* namespace, only regular files and directories can have | 57 | /* |
| 58 | * In the user.* namespace, only regular files and directories can have | ||
| 55 | * extended attributes. For sticky directories, only the owner and | 59 | * extended attributes. For sticky directories, only the owner and |
| 56 | * privileged user can write attributes. | 60 | * privileged users can write attributes. |
| 57 | */ | 61 | */ |
| 58 | if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { | 62 | if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { |
| 59 | if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) | 63 | if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) |
| 60 | return -EPERM; | 64 | return (mask & MAY_WRITE) ? -EPERM : -ENODATA; |
| 61 | if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && | 65 | if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && |
| 62 | (mask & MAY_WRITE) && !inode_owner_or_capable(inode)) | 66 | (mask & MAY_WRITE) && !inode_owner_or_capable(inode)) |
| 63 | return -EPERM; | 67 | return -EPERM; |
| @@ -87,7 +91,11 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, | |||
| 87 | { | 91 | { |
| 88 | struct inode *inode = dentry->d_inode; | 92 | struct inode *inode = dentry->d_inode; |
| 89 | int error = -EOPNOTSUPP; | 93 | int error = -EOPNOTSUPP; |
| 94 | int issec = !strncmp(name, XATTR_SECURITY_PREFIX, | ||
| 95 | XATTR_SECURITY_PREFIX_LEN); | ||
| 90 | 96 | ||
| 97 | if (issec) | ||
| 98 | inode->i_flags &= ~S_NOSEC; | ||
| 91 | if (inode->i_op->setxattr) { | 99 | if (inode->i_op->setxattr) { |
| 92 | error = inode->i_op->setxattr(dentry, name, value, size, flags); | 100 | error = inode->i_op->setxattr(dentry, name, value, size, flags); |
| 93 | if (!error) { | 101 | if (!error) { |
| @@ -95,8 +103,7 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, | |||
| 95 | security_inode_post_setxattr(dentry, name, value, | 103 | security_inode_post_setxattr(dentry, name, value, |
| 96 | size, flags); | 104 | size, flags); |
| 97 | } | 105 | } |
| 98 | } else if (!strncmp(name, XATTR_SECURITY_PREFIX, | 106 | } else if (issec) { |
| 99 | XATTR_SECURITY_PREFIX_LEN)) { | ||
| 100 | const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; | 107 | const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; |
| 101 | error = security_inode_setsecurity(inode, suffix, value, | 108 | error = security_inode_setsecurity(inode, suffix, value, |
| 102 | size, flags); | 109 | size, flags); |