Quoting Eric W. Biederman ([email protected]): > > As the capabilites and capability bounding set are per user namespace > properties it is safe to allow changing them with just CAP_SETPCAP > permission in the user namespace. > > Signed-off-by: "Eric W. Biederman" <[email protected]> > Tested-by: Richard Weinberger <[email protected]>
Acked-by: Serge Hallyn <[email protected]> > --- > security/commoncap.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/security/commoncap.c b/security/commoncap.c > index c44b6fe..9fccf71 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -824,7 +824,7 @@ int cap_task_setnice(struct task_struct *p, int nice) > */ > static long cap_prctl_drop(struct cred *new, unsigned long cap) > { > - if (!capable(CAP_SETPCAP)) > + if (!ns_capable(current_user_ns(), CAP_SETPCAP)) > return -EPERM; > if (!cap_valid(cap)) > return -EINVAL; > -- > 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
