1 files changed, 13 insertions, 9 deletions

diff --git a/kernel/capability.c b/kernel/capability.c
index 1e1c0236f55b..7718d7dcadc7 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -299,7 +299,7 @@ bool has_ns_capability(struct task_struct *t,
         int ret;
 
         rcu_read_lock();
-        ret = security_capable(__task_cred(t), ns, cap);
+        ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NONE);
         rcu_read_unlock();
 
         return (ret == 0);
@@ -340,7 +340,7 @@ bool has_ns_capability_noaudit(struct task_struct *t,
         int ret;
 
         rcu_read_lock();
-        ret = security_capable_noaudit(__task_cred(t), ns, cap);
+        ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NOAUDIT);
         rcu_read_unlock();
 
         return (ret == 0);
@@ -363,7 +363,9 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
         return has_ns_capability_noaudit(t, &init_user_ns, cap);
 }
 
-static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
+static bool ns_capable_common(struct user_namespace *ns,
+                              int cap,
+                              unsigned int opts)
 {
         int capable;
 
@@ -372,8 +374,7 @@ static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
                 BUG();
         }
 
-        capable = audit ? security_capable(current_cred(), ns, cap) :
-                          security_capable_noaudit(current_cred(), ns, cap);
+        capable = security_capable(current_cred(), ns, cap, opts);
         if (capable == 0) {
                 current->flags |= PF_SUPERPRIV;
                 return true;
@@ -394,7 +395,7 @@ static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
  */
 bool ns_capable(struct user_namespace *ns, int cap)
 {
-        return ns_capable_common(ns, cap, true);
+        return ns_capable_common(ns, cap, CAP_OPT_NONE);
 }
 EXPORT_SYMBOL(ns_capable);
 
@@ -412,7 +413,7 @@ EXPORT_SYMBOL(ns_capable);
  */
 bool ns_capable_noaudit(struct user_namespace *ns, int cap)
 {
-        return ns_capable_common(ns, cap, false);
+        return ns_capable_common(ns, cap, CAP_OPT_NOAUDIT);
 }
 EXPORT_SYMBOL(ns_capable_noaudit);
 
@@ -448,10 +449,11 @@ EXPORT_SYMBOL(capable);
 bool file_ns_capable(const struct file *file, struct user_namespace *ns,
                      int cap)
 {
+
         if (WARN_ON_ONCE(!cap_valid(cap)))
                 return false;
 
-        if (security_capable(file->f_cred, ns, cap) == 0)
+        if (security_capable(file->f_cred, ns, cap, CAP_OPT_NONE) == 0)
                 return true;
 
         return false;
@@ -500,10 +502,12 @@ bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
 {
         int ret = 0;  /* An absent tracer adds no restrictions */
         const struct cred *cred;
+
         rcu_read_lock();
         cred = rcu_dereference(tsk->ptracer_cred);
         if (cred)
-                ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE);
+                ret = security_capable(cred, ns, CAP_SYS_PTRACE,
+                                       CAP_OPT_NOAUDIT);
         rcu_read_unlock();
         return (ret == 0);
 }