diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2012-07-31 10:14:12 +0200 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-19 14:59:17 +0100 |
commit | a85fb273c94648cbf20a5f9bcf8bbbb075f271ad (patch) | |
tree | bdfe3d662dd4a42673620067f21c7b6fedd04d27 /fs/open.c | |
parent | pidns: Support unsharing the pid namespace. (diff) | |
download | linux-a85fb273c94648cbf20a5f9bcf8bbbb075f271ad.tar.xz linux-a85fb273c94648cbf20a5f9bcf8bbbb075f271ad.zip |
vfs: Allow chroot if you have CAP_SYS_CHROOT in your user namespace
Once you are confined to a user namespace applications can not gain
privilege and escape the user namespace so there is no longer a reason
to restrict chroot.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'fs/open.c')
-rw-r--r-- | fs/open.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/open.c b/fs/open.c index 59071f55bf7f..182d8667b7bd 100644 --- a/fs/open.c +++ b/fs/open.c @@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename) goto dput_and_out; error = -EPERM; - if (!capable(CAP_SYS_CHROOT)) + if (!nsown_capable(CAP_SYS_CHROOT)) goto dput_and_out; error = security_path_chroot(&path); if (error) |