summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2013-07-02 19:04:54 +0200
committerEric W. Biederman <ebiederm@xmission.com>2013-08-31 02:30:39 +0200
commit160da84dbb39443fdade7151bc63a88f8e953077 (patch)
treeddc0f7993f773a610b888a75b2a00a2520c053f9 /security
parentnamespaces: Simplify copy_namespaces so it is clear what is going on. (diff)
downloadlinux-160da84dbb39443fdade7151bc63a88f8e953077.tar.xz
linux-160da84dbb39443fdade7151bc63a88f8e953077.zip
userns: Allow PR_CAPBSET_DROP in a user namespace.
As the capabilites and capability bounding set are per user namespace properties it is safe to allow changing them with just CAP_SETPCAP permission in the user namespace. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Tested-by: Richard Weinberger <richard@nod.at> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index c44b6fe6648e..9fccf71b2b62 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -824,7 +824,7 @@ int cap_task_setnice(struct task_struct *p, int nice)
*/
static long cap_prctl_drop(struct cred *new, unsigned long cap)
{
- if (!capable(CAP_SETPCAP))
+ if (!ns_capable(current_user_ns(), CAP_SETPCAP))
return -EPERM;
if (!cap_valid(cap))
return -EINVAL;