Commit a85fb273 authored by Eric W. Biederman's avatar Eric W. Biederman

vfs: Allow chroot if you have CAP_SYS_CHROOT in your user namespace

Once you are confined to a user namespace applications can not gain
privilege and escape the user namespace so there is no longer a reason
to restrict chroot.
Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent 50804fe3
...@@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename) ...@@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
goto dput_and_out; goto dput_and_out;
error = -EPERM; error = -EPERM;
if (!capable(CAP_SYS_CHROOT)) if (!nsown_capable(CAP_SYS_CHROOT))
goto dput_and_out; goto dput_and_out;
error = security_path_chroot(&path); error = security_path_chroot(&path);
if (error) if (error)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment