From 160da84dbb39443fdade7151bc63a88f8e953077 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Tue, 2 Jul 2013 10:04:54 -0700 Subject: userns: Allow PR_CAPBSET_DROP in a user namespace. As the capabilites and capability bounding set are per user namespace properties it is safe to allow changing them with just CAP_SETPCAP permission in the user namespace. Acked-by: Serge Hallyn Tested-by: Richard Weinberger Signed-off-by: "Eric W. Biederman" --- security/commoncap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security') diff --git a/security/commoncap.c b/security/commoncap.c index c44b6fe6648..9fccf71b2b6 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -824,7 +824,7 @@ int cap_task_setnice(struct task_struct *p, int nice) */ static long cap_prctl_drop(struct cred *new, unsigned long cap) { - if (!capable(CAP_SETPCAP)) + if (!ns_capable(current_user_ns(), CAP_SETPCAP)) return -EPERM; if (!cap_valid(cap)) return -EINVAL; -- cgit v1.2.3-18-g5258 From f54fb863c6bbcbafdfc332b4a4260abb5a002137 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Tue, 23 Jul 2013 13:18:53 -0500 Subject: capabilities: allow nice if we are privileged We allow task A to change B's nice level if it has a supserset of B's privileges, or of it has CAP_SYS_NICE. Also allow it if A has CAP_SYS_NICE with respect to B - meaning it is root in the same namespace, or it created B's namespace. Signed-off-by: Serge Hallyn Reviewed-by: "Eric W. Biederman" Signed-off-by: Eric W. Biederman --- security/commoncap.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'security') diff --git a/security/commoncap.c b/security/commoncap.c index 9fccf71b2b6..b9d613e0ef1 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -768,16 +768,16 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) */ static int cap_safe_nice(struct task_struct *p) { - int is_subset; + int is_subset, ret = 0; rcu_read_lock(); is_subset = cap_issubset(__task_cred(p)->cap_permitted, current_cred()->cap_permitted); + if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) + ret = -EPERM; rcu_read_unlock(); - if (!is_subset && !capable(CAP_SYS_NICE)) - return -EPERM; - return 0; + return ret; } /** -- cgit v1.2.3-18-g5258