This is a one line change that makes `linkat` aware of namespaces when
checking for capabilities.
As far as I can tell, the call to `capable` in this code dates back to
before the `ns_capable` function existed, so I don't think the author
specifically intended to prefer regular `capable` over `ns_capable`,
and no one has noticed or cared to change it yet... until now!
It is already hard enough to use `linkat` to link temporarily files
into the filesystem without the `/proc` workaround, and when moving
a program that was working fine on bare metal into a container,
I got hung up on this additional snag due to the lack of namespace
awareness in `linkat`.
Charles Mirabile (1):
fs: Consider capabilities relative to namespace for linkat permission
check
fs/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
base-commit: 89cdf9d556016a54ff6ddd62324aa5ec790c05cc
--
2.38.1
