vfs: Allow chroot if you have CAP_SYS_CHROOT in your user namespace

Once you are confined to a user namespace applications can not gain privilege and escape the user namespace so there is no longer a reason to restrict chroot. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2012-07-31 04:14:12 -0400
committer: Eric W. Biederman <ebiederm@xmission.com> 2012-11-19 08:59:17 -0500
commit: a85fb273c94648cbf20a5f9bcf8bbbb075f271ad (patch)
tree: bdfe3d662dd4a42673620067f21c7b6fedd04d27 /fs/open.c
parent: 50804fe3737ca6a5942fdc2057a18a8141d00141 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/open.c b/fs/open.c
index 59071f55bf7f..182d8667b7bd 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
                goto dput_and_out;
        error = -EPERM;
-        if (!capable(CAP_SYS_CHROOT))
+        if (!nsown_capable(CAP_SYS_CHROOT))
                goto dput_and_out;
        error = security_path_chroot(&path);
        if (error)
author	Eric W. Biederman <ebiederm@xmission.com>	2012-07-31 04:14:12 -0400
committer	Eric W. Biederman <ebiederm@xmission.com>	2012-11-19 08:59:17 -0500
commit	a85fb273c94648cbf20a5f9bcf8bbbb075f271ad (patch)
tree	bdfe3d662dd4a42673620067f21c7b6fedd04d27 /fs/open.c
parent	50804fe3737ca6a5942fdc2057a18a8141d00141 (diff)

diff --git a/fs/open.c b/fs/open.c index 59071f55bf7f..182d8667b7bd 100644 --- a/fs/open.c +++ b/fs/open.c
@@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
435	goto dput_and_out;	435	goto dput_and_out;
436		436
437	error = -EPERM;	437	error = -EPERM;
438	if (!capable(CAP_SYS_CHROOT))	438	if (!nsown_capable(CAP_SYS_CHROOT))
439	goto dput_and_out;	439	goto dput_and_out;
440	error = security_path_chroot(&path);	440	error = security_path_chroot(&path);
441	if (error)	441	if (error)