diff options
author | Kees Cook <keescook@chromium.org> | 2012-05-14 19:19:28 +0200 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2012-05-15 02:27:57 +0200 |
commit | 2cc8a71641b4460783ea3bd7a3476043fdf85397 (patch) | |
tree | fe8a39bbedc403306c3a0c2f773a4499d6ae99ec | |
parent | TOMOYO: Accept manager programs which do not start with / . (diff) | |
download | linux-2cc8a71641b4460783ea3bd7a3476043fdf85397.tar.xz linux-2cc8a71641b4460783ea3bd7a3476043fdf85397.zip |
Yama: replace capable() with ns_capable()
When checking capabilities, the question we want to be asking is "does
current() have the capability in the child's namespace?"
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
-rw-r--r-- | security/yama/yama_lsm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index c852f7472ad0..83554ee8a587 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -264,11 +264,11 @@ static int yama_ptrace_access_check(struct task_struct *child, case YAMA_SCOPE_RELATIONAL: if (!task_is_descendant(current, child) && !ptracer_exception_found(current, child) && - !capable(CAP_SYS_PTRACE)) + !ns_capable(task_user_ns(child), CAP_SYS_PTRACE)) rc = -EPERM; break; case YAMA_SCOPE_CAPABILITY: - if (!capable(CAP_SYS_PTRACE)) + if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE)) rc = -EPERM; break; case YAMA_SCOPE_NO_ATTACH: |