capabilities: allow nice if we are privileged

We allow task A to change B's nice level if it has a supserset of B's privileges, or of it has CAP_SYS_NICE. Also allow it if A has CAP_SYS_NICE with respect to B - meaning it is root in the same namespace, or it created B's namespace. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
author: Serge Hallyn <serge.hallyn@ubuntu.com> 2013-07-23 13:18:53 -0500
committer: Eric W. Biederman <ebiederm@xmission.com> 2013-08-30 23:44:09 -0700
commit: f54fb863c6bbcbafdfc332b4a4260abb5a002137 (patch)
tree: ced72284affb914341940a5f854e4d2dd56622d1 /security/commoncap.c
parent: 6e556ce209b09528dbf1931cbfd5d323e1345926 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 9fccf71b2b62..b9d613e0ef14 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -768,16 +768,16 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
  */
 static int cap_safe_nice(struct task_struct *p)
 {
-	int is_subset;
+	int is_subset, ret = 0;
 
 	rcu_read_lock();
 	is_subset = cap_issubset(__task_cred(p)->cap_permitted,
 				 current_cred()->cap_permitted);
+	if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
+		ret = -EPERM;
 	rcu_read_unlock();
 
-	if (!is_subset && !capable(CAP_SYS_NICE))
-		return -EPERM;
-	return 0;
+	return ret;
 }
 
 /**
author	Serge Hallyn <serge.hallyn@ubuntu.com>	2013-07-23 13:18:53 -0500
committer	Eric W. Biederman <ebiederm@xmission.com>	2013-08-30 23:44:09 -0700
commit	f54fb863c6bbcbafdfc332b4a4260abb5a002137 (patch)
tree	ced72284affb914341940a5f854e4d2dd56622d1 /security/commoncap.c
parent	6e556ce209b09528dbf1931cbfd5d323e1345926 (diff)