vfs_acl_xattr: Additionally use CAP_SYS_ADMIN for xattrs from security namespace
These days we prefer capabilities over become_root() to perform some privileged operations. Accordingly acl_xattr
VFS module also started using CAP_DAC_OVERRIDE
to set and retrieve NT ACLs stored in xattrs. But there is a catch where only those processes with CAP_SYS_ADMIN
are allowed write access to xattrs from security namespace(see man xattr(7)). With our default "security.NTACL" or any other configured xattr within security namespace cannot work leading to NT_STATUS_ACCESS_DENIED
when smbd attempt to store/remove such xattrs. Therefore add CAP_SYS_ADMIN
conditionally for xattrs from security namespace.
Checklist
-
Commits have Signed-off-by:
with name/author being identical to the commit author -
(optional) This MR is just one part towards a larger feature. -
(optional, if backport required) Bugzilla bug filed and BUG:
tag added -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated -
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)
Reviewer's checklist:
-
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
-
This feature/change has adequate documentation added -
No obvious mistakes in the code