1 files changed, 9 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index e7fadde737f4..14540bd78561 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -453,7 +453,15 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_c
        if (!file_caps_enabled)
                return 0;
-        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
+        if (!mnt_may_suid(bprm->file->f_path.mnt))
+                return 0;
+        /*
+         * This check is redundant with mnt_may_suid() but is kept to make
+         * explicit that capability bits are limited to s_user_ns and its
+         * descendants.
+         */
+        if (!current_in_userns(bprm->file->f_path.mnt->mnt_sb->s_user_ns))
                return 0;
        rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);

diff --git a/security/commoncap.c b/security/commoncap.c index e7fadde737f4..14540bd78561 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -453,7 +453,15 @@ static int get_file_caps(struct linux_binprm bprm, bool effective, bool *has_c
453	if (!file_caps_enabled)	453	if (!file_caps_enabled)
454	return 0;	454	return 0;
455		455
456	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)	456	if (!mnt_may_suid(bprm->file->f_path.mnt))
		457	return 0;
		458
		459	/*
		460	* This check is redundant with mnt_may_suid() but is kept to make
		461	* explicit that capability bits are limited to s_user_ns and its
		462	* descendants.
		463	*/
		464	if (!current_in_userns(bprm->file->f_path.mnt->mnt_sb->s_user_ns))
457	return 0;	465	return 0;
458		466
459	rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);	467	rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);