Commit 2cc8a71641b4460783ea3bd7a3476043fdf85397
Committed by
James Morris
1 parent
77b513dda9
Exists in
master
and in
20 other branches
Yama: replace capable() with ns_capable()
When checking capabilities, the question we want to be asking is "does current() have the capability in the child's namespace?" Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff
security/yama/yama_lsm.c
... | ... | @@ -264,11 +264,11 @@ |
264 | 264 | case YAMA_SCOPE_RELATIONAL: |
265 | 265 | if (!task_is_descendant(current, child) && |
266 | 266 | !ptracer_exception_found(current, child) && |
267 | - !capable(CAP_SYS_PTRACE)) | |
267 | + !ns_capable(task_user_ns(child), CAP_SYS_PTRACE)) | |
268 | 268 | rc = -EPERM; |
269 | 269 | break; |
270 | 270 | case YAMA_SCOPE_CAPABILITY: |
271 | - if (!capable(CAP_SYS_PTRACE)) | |
271 | + if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE)) | |
272 | 272 | rc = -EPERM; |
273 | 273 | break; |
274 | 274 | case YAMA_SCOPE_NO_ATTACH: |