author: Adrian Reber <areber@redhat.com> 2020-07-19 12:04:14 +0200
committer: Christian Brauner <christian.brauner@ubuntu.com> 2020-07-19 20:14:42 +0200
commit: 12886f8ab10ce6a09af1d92535d49c81aaa215a8
parent: b9a3db92e1a1f281724e2f34b849d18d1a53bece
Commit Summary:
Diffstat:
1 file changed, 4 insertions, 4 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index d86c0afc8a85..a333caeca291 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2189,16 +2189,16 @@ struct map_files_info {
};
/*
- * Only allow CAP_SYS_ADMIN to follow the links, due to concerns about how the
- * symlinks may be used to bypass permissions on ancestor directories in the
- * path to the file in question.
+ * Only allow CAP_SYS_ADMIN and CAP_CHECKPOINT_RESTORE to follow the links, due
+ * to concerns about how the symlinks may be used to bypass permissions on
+ * ancestor directories in the path to the file in question.
*/
static const char *
proc_map_files_get_link(struct dentry *dentry,
struct inode *inode,
struct delayed_call *done)
{
- if (!capable(CAP_SYS_ADMIN))
+ if (!checkpoint_restore_ns_capable(&init_user_ns))
return ERR_PTR(-EPERM);
return proc_pid_get_link(dentry, inode, done);