From: Eric W. Biederman Date: Tue, 31 Jul 2012 08:14:12 +0000 (-0700) Subject: vfs: Allow chroot if you have CAP_SYS_CHROOT in your user namespace X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a85fb273c94648cbf20a5f9bcf8bbbb075f271ad;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git vfs: Allow chroot if you have CAP_SYS_CHROOT in your user namespace Once you are confined to a user namespace applications can not gain privilege and escape the user namespace so there is no longer a reason to restrict chroot. Acked-by: Serge Hallyn Signed-off-by: "Eric W. Biederman" --- diff --git a/fs/open.c b/fs/open.c index 59071f55bf7f..182d8667b7bd 100644 --- a/fs/open.c +++ b/fs/open.c @@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename) goto dput_and_out; error = -EPERM; - if (!capable(CAP_SYS_CHROOT)) + if (!nsown_capable(CAP_SYS_CHROOT)) goto dput_and_out; error = security_path_chroot(&path); if (error)