Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 160da84d authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

userns: Allow PR_CAPBSET_DROP in a user namespace. 



As the capabilites and capability bounding set are per user namespace
properties it is safe to allow changing them with just CAP_SETPCAP
permission in the user namespace.

Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Tested-by: default avatarRichard Weinberger <richard@nod.at>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent dbef0c1c

security/commoncap.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -824,7 +824,7 @@ int cap_task_setnice(struct task_struct *p, int nice) 
 */

 */

static long cap_prctl_drop(struct cred *new, unsigned long cap)

static long cap_prctl_drop(struct cred *new, unsigned long cap)

{

{

	if (!capable(CAP_SETPCAP))

	if (!ns_capable(current_user_ns(), CAP_SETPCAP))

		return -EPERM;

		return -EPERM;

	if (!cap_valid(cap))

	if (!cap_valid(cap))

		return -EINVAL;

		return -EINVAL;