[Linux-ima-user] [RFC 2/2] ima: Allow CAP_SYS_ADMIN in s_user_ns to write IMA xattrs

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Signed-off-by: Seth Forshee <set...@ca...>
---
 security/integrity/ima/ima_appraise.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a13fc6809554..007cea65b5ef 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -353,8 +353,9 @@ void ima_inode_post_setattr(struct dentry *dentry)
 static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
 			     const void *xattr_value, size_t xattr_value_len)
 {
+	struct inode *inode = d_backing_inode(dentry);
 	if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ns_capable(inode->i_sb->s_user_ns, CAP_SYS_ADMIN))
 			return -EPERM;
 		return 1;
 	}
-- 
2.7.4



