FROMLIST: proc: use ns_capable instead of capable for timerslack_ns

Access to timerslack_ns is controlled by a process having CAP_SYS_NICE
in its effective capability set, but the current check looks in the root
namespace instead of the process' user namespace.  Since a process is
allowed to do other activities controlled by CAP_SYS_NICE inside a
namespace, it should also be able to adjust timerslack_ns.

Signed-off-by: Benjamin Gordon <>
Acked-by: "Eric W. Biederman" <>
Cc: John Stultz <>
Cc: "Eric W. Biederman" <>
Cc: Kees Cook <>
Cc: "Serge E. Hallyn" <>
Cc: Thomas Gleixner <>
Cc: Arjan van de Ven <>
Cc: Oren Laadan <>
Cc: Ruchi Kandoi <>
Cc: Rom Lemarchand <>
Cc: Todd Kjos <>
Cc: Colin Cross <>
Cc: Nick Kralevich <>
Cc: Dmitry Shmidt <>
Cc: Elliott Hughes <>
Cc: Alexey Dobriyan <>
Signed-off-by: Andrew Morton <>

TEST=check logcat on grunt; check /proc/*/timerslack_ns inside container

Change-Id: I0ac3a1c96eb10d149da237c9b39b9307ea61da9d
Commit-Ready: Benjamin Gordon <>
Tested-by: Benjamin Gordon <>
Reviewed-by: Justin TerAvest <>
1 file changed