diff options
| author | Eric W. Biederman | 2013-03-20 20:49:49 +0100 |
|---|---|---|
| committer | Eric W. Biederman | 2013-08-31 08:44:11 +0200 |
| commit | c7b96acf1456ef127fef461fcfedb54b81fecfbb (patch) | |
| tree | 1cc9387d23e96685453e545bda6d5a5efea8fa63 /fs | |
| parent | capabilities: allow nice if we are privileged (diff) | |
| download | kernel-qcow2-linux-c7b96acf1456ef127fef461fcfedb54b81fecfbb.tar.gz kernel-qcow2-linux-c7b96acf1456ef127fef461fcfedb54b81fecfbb.tar.xz kernel-qcow2-linux-c7b96acf1456ef127fef461fcfedb54b81fecfbb.zip | |
userns: Kill nsown_capable it makes the wrong thing easy
nsown_capable is a special case of ns_capable essentially for just CAP_SETUID and
CAP_SETGID. For the existing users it doesn't noticably simplify things and
from the suggested patches I have seen it encourages people to do the wrong
thing. So remove nsown_capable.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/namespace.c | 4 | ||||
| -rw-r--r-- | fs/open.c | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 877e4277f496..dc519a1437ee 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2929,8 +2929,8 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) struct path root; if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) || - !nsown_capable(CAP_SYS_CHROOT) || - !nsown_capable(CAP_SYS_ADMIN)) + !ns_capable(current_user_ns(), CAP_SYS_CHROOT) || + !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; if (fs->users != 1) diff --git a/fs/open.c b/fs/open.c index 9156cb050d08..1c9d23f7e683 100644 --- a/fs/open.c +++ b/fs/open.c @@ -443,7 +443,7 @@ retry: goto dput_and_out; error = -EPERM; - if (!nsown_capable(CAP_SYS_CHROOT)) + if (!ns_capable(current_user_ns(), CAP_SYS_CHROOT)) goto dput_and_out; error = security_path_chroot(&path); if (error) |