[Devel] [PATCH RHEL7 COMMIT] ms/userns: Allow PR_CAPBSET_DROP in a user namespace.
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Sep 1 07:50:40 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-229.7.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.5
------>
commit 038113017ff594bbc49c365d48a0f3ec4f14ea8b
Author: Eric W. Biederman <ebiederm at xmission.com>
Date: Tue Sep 1 18:50:40 2015 +0400
ms/userns: Allow PR_CAPBSET_DROP in a user namespace.
ms commit: 160da84dbb39443fdade7151bc63a88f8e953077
As the capabilites and capability bounding set are per user namespace
properties it is safe to allow changing them with just CAP_SETPCAP
permission in the user namespace.
Acked-by: Serge Hallyn <serge.hallyn at canonical.com>
Tested-by: Richard Weinberger <richard at nod.at>
Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at openvz.org>
---
security/commoncap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index 3d7811d..59ff538 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -852,7 +852,7 @@ static int cap_prctl_drop(unsigned long cap)
{
struct cred *new;
- if (!capable(CAP_SETPCAP))
+ if (!ns_capable(current_user_ns(), CAP_SETPCAP))
return -EPERM;
if (!cap_valid(cap))
return -EINVAL;
More information about the Devel
mailing list