Merge tag 'for-linus-20170510' of git://git.infradead.org/linux-mtd

[karo-tx-linux.git] / security / commoncap.c

diff --git a/security/commoncap.c b/security/commoncap.c
index 6d4d586b9356240660e75506d3daacb7ebb8a853..7abebd782d5e02d0c024ca0b2b1b189b1f4f83d1 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -548,9 +548,10 @@ skip:
 
        if ((is_setid ||
             !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
-           bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
+           ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
+            !ptracer_capable(current, new->user_ns))) {
                /* downgrade; they get no more than they had, and maybe less */
-               if (!capable(CAP_SETUID) ||
+               if (!ns_capable(new->user_ns, CAP_SETUID) ||
                    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
                        new->euid = new->uid;
                        new->egid = new->gid;
@@ -1070,7 +1071,7 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
 
 #ifdef CONFIG_SECURITY
 
-struct security_hook_list capability_hooks[] = {
+struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(capable, cap_capable),
        LSM_HOOK_INIT(settime, cap_settime),
        LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),