[REVIEW][PATCH 2/5] userns: Allow PR_CAPBSET_DROP in a user namespace.

Eric W. Biederman Thu, 29 Aug 2013 16:55:09 -0700

As the capabilites and capability bounding set are per user namespace
properties it is safe to allow changing them with just CAP_SETPCAP
permission in the user namespace.


Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Tested-by: Richard Weinberger <rich...@nod.at>
---
 security/commoncap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index c44b6fe..9fccf71 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -824,7 +824,7 @@ int cap_task_setnice(struct task_struct *p, int nice)
  */
 static long cap_prctl_drop(struct cred *new, unsigned long cap)
 {
-       if (!capable(CAP_SETPCAP))
+       if (!ns_capable(current_user_ns(), CAP_SETPCAP))
                return -EPERM;
        if (!cap_valid(cap))
                return -EINVAL;
-- 
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[REVIEW][PATCH 2/5] userns: Allow PR_CAPBSET_DROP in a user namespace.

Reply via email to