Yama: replace capable() with ns_capable()

When checking capabilities, the question we want to be asking is "does current() have the capability in the child's namespace?" Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
gavanfantom · May 15, 2012 · 2cc8a71 · 2cc8a71
1 parent 77b513d
commit 2cc8a71
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
@@ -264,11 +264,11 @@ static int yama_ptrace_access_check(struct task_struct *child,
 		case YAMA_SCOPE_RELATIONAL:
 			if (!task_is_descendant(current, child) &&
 			    !ptracer_exception_found(current, child) &&
-			    !capable(CAP_SYS_PTRACE))
+			    !ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
 				rc = -EPERM;
 			break;
 		case YAMA_SCOPE_CAPABILITY:
-			if (!capable(CAP_SYS_PTRACE))
+			if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
 				rc = -EPERM;
 			break;
 		case YAMA_SCOPE_NO_ATTACH: