From 73650b4f3af1f7c8b2448569209fcdff427c08db Mon Sep 17 00:00:00 2001
From: pjd <pjd@FreeBSD.org>
Date: Sat, 2 Mar 2013 09:58:47 +0000
Subject: [PATCH] If the target file already exists, check for the CAP_UNLINKAT
 capabiity right on the target directory descriptor, but only if this is
 renameat(2) and real target directory descriptor is given (not AT_FDCWD).
 Without this fix regular rename(2) fails if the target file already exists.

Reported by:	Michael Butler <imb@protected-networks.net>
Reported by:	Larry Rosenman <ler@lerctr.org>
Sponsored by:	The FreeBSD Foundation
---
 sys/kern/vfs_syscalls.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 787399abcb4..4c1d97c7d6e 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -3556,13 +3556,16 @@ kern_renameat(struct thread *td, int oldfd, char *old, int newfd, char *new,
 			goto out;
 		}
 #ifdef CAPABILITIES
-		/*
-		 * If the target already exists we require CAP_UNLINKAT
-		 * from 'newfd'.
-		 */
-		error = cap_check(tond.ni_filecaps.fc_rights, CAP_UNLINKAT);
-		if (error != 0)
-			goto out;
+		if (newfd != AT_FDCWD) {
+			/*
+			 * If the target already exists we require CAP_UNLINKAT
+			 * from 'newfd'.
+			 */
+			error = cap_check(tond.ni_filecaps.fc_rights,
+			    CAP_UNLINKAT);
+			if (error != 0)
+				goto out;
+		}
 #endif
 	}
 	if (fvp == tdvp) {
-- 
2.45.2