diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-12-18 13:55:28 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-12-18 13:55:28 -0500 |
commit | a2faf2fc534f57ba26bc4d613795236ed4f5fb1c (patch) | |
tree | d75c4daadb469c8f08c498532fbf1fff68879e69 /ipc | |
parent | 4351654e3ddf86a04966163dce4def586303e5cc (diff) | |
parent | 5155040ed349950e16c093ba8e65ad534994df2a (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull (again) user namespace infrastructure changes from Eric Biederman:
"Those bugs, those darn embarrasing bugs just want don't want to get
fixed.
Linus I just updated my mirror of your kernel.org tree and it appears
you successfully pulled everything except the last 4 commits that fix
those embarrasing bugs.
When you get a chance can you please repull my branch"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
userns: Fix typo in description of the limitation of userns_install
userns: Add a more complete capability subset test to commit_creds
userns: Require CAP_SYS_ADMIN for most uses of setns.
Fix cap_capable to only allow owners in the parent user namespace to have caps.
Diffstat (limited to 'ipc')
-rw-r--r-- | ipc/namespace.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ipc/namespace.c b/ipc/namespace.c index cf3386a51de2..7c1fa451b0b0 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c | |||
@@ -170,7 +170,8 @@ static void ipcns_put(void *ns) | |||
170 | static int ipcns_install(struct nsproxy *nsproxy, void *new) | 170 | static int ipcns_install(struct nsproxy *nsproxy, void *new) |
171 | { | 171 | { |
172 | struct ipc_namespace *ns = new; | 172 | struct ipc_namespace *ns = new; |
173 | if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) | 173 | if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) || |
174 | !nsown_capable(CAP_SYS_ADMIN)) | ||
174 | return -EPERM; | 175 | return -EPERM; |
175 | 176 | ||
176 | /* Ditch state from the old ipc namespace */ | 177 | /* Ditch state from the old ipc namespace */ |