ima/evm: Allow root in s_user_ns to set xattrs

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

ima/evm: Allow root in s_user_ns to set xattrs
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
d033b7ff · Seth Forshee · 3d5a8612 · d033b7ff · d033b7ff
Commit d033b7ff authored Feb 15, 2015 by Seth Forshee
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

security/integrity/evm/evm_main.c security/integrity/evm/evm_main.c +1 -1

security/integrity/ima/ima_appraise.c security/integrity/ima/ima_appraise.c +1 -1

No files found.
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -278,7 +278,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 	enum integrity_status evm_status;

 	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
 			return -EPERM;
 	} else if (!evm_protected_xattr(xattr_name)) {
 		if (!posix_xattr_acl(xattr_name))

--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -345,7 +345,7 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
 			     const void *xattr_value, size_t xattr_value_len)
 {
 	if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
 			return -EPERM;
 		return 1;
 	}