summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2013-07-02 10:04:54 -0700
committerEric W. Biederman <ebiederm@xmission.com>2013-08-30 17:30:39 -0700
commit160da84dbb39443fdade7151bc63a88f8e953077 (patch)
treeddc0f7993f773a610b888a75b2a00a2520c053f9 /security
parentdbef0c1c4c5f8ce5d1f5bd8cee092a7afb4ac21b (diff)
downloadlwn-160da84dbb39443fdade7151bc63a88f8e953077.tar.gz
lwn-160da84dbb39443fdade7151bc63a88f8e953077.zip
userns: Allow PR_CAPBSET_DROP in a user namespace.
As the capabilites and capability bounding set are per user namespace properties it is safe to allow changing them with just CAP_SETPCAP permission in the user namespace. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Tested-by: Richard Weinberger <richard@nod.at> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index c44b6fe6648e..9fccf71b2b62 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -824,7 +824,7 @@ int cap_task_setnice(struct task_struct *p, int nice)
*/
static long cap_prctl_drop(struct cred *new, unsigned long cap)
{
- if (!capable(CAP_SETPCAP))
+ if (!ns_capable(current_user_ns(), CAP_SETPCAP))
return -EPERM;
if (!cap_valid(cap))
return -EINVAL;