Commit a85fb273 authored Jul 31, 2012 by Eric W. Biederman

vfs: Allow chroot if you have CAP_SYS_CHROOT in your user namespace



Once you are confined to a user namespace applications can not gain
privilege and escape the user namespace so there is no longer a reason
to restrict chroot.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

parent 50804fe3

fs/open.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
	goto dput_and_out;		goto dput_and_out;

	error = -EPERM;		error = -EPERM;
	if (!capable(CAP_SYS_CHROOT))		if (!nsown_capable(CAP_SYS_CHROOT))
	goto dput_and_out;		goto dput_and_out;
	error = security_path_chroot(&path);		error = security_path_chroot(&path);
	if (error)		if (error)