diff options
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index e7fadde737f4..14540bd78561 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -453,7 +453,15 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_c if (!file_caps_enabled) return 0; - if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) + if (!mnt_may_suid(bprm->file->f_path.mnt)) + return 0; + + /* + * This check is redundant with mnt_may_suid() but is kept to make + * explicit that capability bits are limited to s_user_ns and its + * descendants. + */ + if (!current_in_userns(bprm->file->f_path.mnt->mnt_sb->s_user_ns)) return 0; rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps); |