Yama: replace capable() with ns_capable()

When checking capabilities, the question we want to be asking is "does current() have the capability in the child's namespace?" Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>

Yama: replace capable() with ns_capable()
When checking capabilities, the question we want to be asking is "does current() have the capability in the child's namespace?" Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
Kees Cook · James Morris
1 parent 77b513dda9
Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff
security/yama/yama_lsm.c
@@ -264,11 +264,11 @@
 		case YAMA_SCOPE_RELATIONAL:
 			if (!task_is_descendant(current, child) &&
 			    !ptracer_exception_found(current, child) &&
-			    !capable(CAP_SYS_PTRACE))
+			    !ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
 				rc = -EPERM;
 			break;
 		case YAMA_SCOPE_CAPABILITY:
-			if (!capable(CAP_SYS_PTRACE))
+			if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
 				rc = -EPERM;
 			break;
 		case YAMA_SCOPE_NO_ATTACH:
...	...	@@ -264,11 +264,11 @@
264	264	case YAMA_SCOPE_RELATIONAL:
265	265	if (!task_is_descendant(current, child) &&
266	266	!ptracer_exception_found(current, child) &&
267		- !capable(CAP_SYS_PTRACE))
	267	+ !ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
268	268	rc = -EPERM;
269	269	break;
270	270	case YAMA_SCOPE_CAPABILITY:
271		- if (!capable(CAP_SYS_PTRACE))
	271	+ if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
272	272	rc = -EPERM;
273	273	break;
274	274	case YAMA_SCOPE_NO_ATTACH: