different capability from different namespace required for prctl_set_mm_exe_file
From: Tong Zhang
Date: Tue Sep 25 2018 - 13:27:06 EST
Kernel Version: 4.18.5
Problem Description:
We discovered inconsistent check when using prctl_set_mm_exe_file(), which is used to setup exe file link.
It is required to have capable(CAP_SYS_RESOURCE) in prctl_set_mm().
while ns_capable(CAP_SYS_ADMIN) in prctl_set_mm_map().
There are two differences:
1)requiring capability from: user namespace, init namespace.
2)capability bit required is different
- Tong