Re: [RFC PATCH 1/6] set_user: Perform RLIMIT_NPROC capability check against new user credentials

On Thu, Feb 10, 2022 at 02:14:05AM +0100, Solar Designer solar@openwall.com wrote:

However, I think you need to drop the negations of the return value from security_capable(). security_capable() returns 0 or -EPERM, while capable() returns a bool, in kernel/capability.c: ns_capable_common():

Oops. Yeah, I only blindly applied replacement with a predicate for (new) cred and overlooked this inverse semantics. Thanks for pointing that out to me!

Nevertheless, this will likely be incorporated via Eric's series anyway.

Michal