diff options
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 52e04136bfa8..188eaf59f82f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -68,7 +68,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) | |||
| 68 | * kernel's capable() and has_capability() returns 1 for this case. | 68 | * kernel's capable() and has_capability() returns 1 for this case. |
| 69 | */ | 69 | */ |
| 70 | int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | 70 | int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, |
| 71 | int cap, int audit) | 71 | int cap, unsigned int opts) |
| 72 | { | 72 | { |
| 73 | struct user_namespace *ns = targ_ns; | 73 | struct user_namespace *ns = targ_ns; |
| 74 | 74 | ||
| @@ -222,12 +222,11 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective, | |||
| 222 | */ | 222 | */ |
| 223 | static inline int cap_inh_is_capped(void) | 223 | static inline int cap_inh_is_capped(void) |
| 224 | { | 224 | { |
| 225 | |||
| 226 | /* they are so limited unless the current task has the CAP_SETPCAP | 225 | /* they are so limited unless the current task has the CAP_SETPCAP |
| 227 | * capability | 226 | * capability |
| 228 | */ | 227 | */ |
| 229 | if (cap_capable(current_cred(), current_cred()->user_ns, | 228 | if (cap_capable(current_cred(), current_cred()->user_ns, |
| 230 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) | 229 | CAP_SETPCAP, CAP_OPT_NONE) == 0) |
| 231 | return 0; | 230 | return 0; |
| 232 | return 1; | 231 | return 1; |
| 233 | } | 232 | } |
| @@ -1208,8 +1207,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
| 1208 | || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ | 1207 | || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ |
| 1209 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 1208 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
| 1210 | || (cap_capable(current_cred(), | 1209 | || (cap_capable(current_cred(), |
| 1211 | current_cred()->user_ns, CAP_SETPCAP, | 1210 | current_cred()->user_ns, |
| 1212 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ | 1211 | CAP_SETPCAP, |
| 1212 | CAP_OPT_NONE) != 0) /*[4]*/ | ||
| 1213 | /* | 1213 | /* |
| 1214 | * [1] no changing of bits that are locked | 1214 | * [1] no changing of bits that are locked |
| 1215 | * [2] no unlocking of locks | 1215 | * [2] no unlocking of locks |
| @@ -1304,9 +1304,10 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages) | |||
| 1304 | { | 1304 | { |
| 1305 | int cap_sys_admin = 0; | 1305 | int cap_sys_admin = 0; |
| 1306 | 1306 | ||
| 1307 | if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, | 1307 | if (cap_capable(current_cred(), &init_user_ns, |
| 1308 | SECURITY_CAP_NOAUDIT) == 0) | 1308 | CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0) |
| 1309 | cap_sys_admin = 1; | 1309 | cap_sys_admin = 1; |
| 1310 | |||
| 1310 | return cap_sys_admin; | 1311 | return cap_sys_admin; |
| 1311 | } | 1312 | } |
| 1312 | 1313 | ||
| @@ -1325,7 +1326,7 @@ int cap_mmap_addr(unsigned long addr) | |||
| 1325 | 1326 | ||
| 1326 | if (addr < dac_mmap_min_addr) { | 1327 | if (addr < dac_mmap_min_addr) { |
| 1327 | ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO, | 1328 | ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO, |
| 1328 | SECURITY_CAP_AUDIT); | 1329 | CAP_OPT_NONE); |
| 1329 | /* set PF_SUPERPRIV if it turns out we allow the low mmap */ | 1330 | /* set PF_SUPERPRIV if it turns out we allow the low mmap */ |
| 1330 | if (ret == 0) | 1331 | if (ret == 0) |
| 1331 | current->flags |= PF_SUPERPRIV; | 1332 | current->flags |= PF_SUPERPRIV; |