When checking capabilities, the question we want to be asking is "does
current() have the capability in the child's namespace?"
Signed-off-by: Kees Cook <[email protected]>
---
security/yama/yama_lsm.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index afb04cb..7ba673b 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -264,11 +264,11 @@ static int yama_ptrace_access_check(struct task_struct *child,
case YAMA_SCOPE_RELATIONAL:
if (!task_is_descendant(current, child) &&
!ptracer_exception_found(current, child) &&
- !capable(CAP_SYS_PTRACE))
+ !ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
rc = -EPERM;
break;
case YAMA_SCOPE_CAPABILITY:
- if (!capable(CAP_SYS_PTRACE))
+ if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
rc = -EPERM;
break;
case YAMA_SCOPE_NO_ATTACH:
--
1.7.0.4
--
Kees Cook
Chrome OS Security
On Mon, 14 May 2012, Kees Cook wrote:
> When checking capabilities, the question we want to be asking is "does
> current() have the capability in the child's namespace?"
>
> Signed-off-by: Kees Cook <[email protected]>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
--
James Morris
<[email protected]>