userns: Allow PR_CAPBSET_DROP in a user namespace.
As the capabilites and capability bounding set are per user namespace properties it is safe to allow changing them with just CAP_SETPCAP permission in the user namespace. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Tested-by: Richard Weinberger <richard@nod.at> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
parent
dbef0c1c4c
commit
160da84dbb
1 changed files with 1 additions and 1 deletions
|
@ -824,7 +824,7 @@ int cap_task_setnice(struct task_struct *p, int nice)
|
|||
*/
|
||||
static long cap_prctl_drop(struct cred *new, unsigned long cap)
|
||||
{
|
||||
if (!capable(CAP_SETPCAP))
|
||||
if (!ns_capable(current_user_ns(), CAP_SETPCAP))
|
||||
return -EPERM;
|
||||
if (!cap_valid(cap))
|
||||
return -EINVAL;
|
||||
|
|
Loading…
Reference in a new issue