diff options
Diffstat (limited to 'kernel/capability.c')
| -rw-r--r-- | kernel/capability.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/kernel/capability.c b/kernel/capability.c index c020c0047983..4984e1f552eb 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
| @@ -485,3 +485,23 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) | |||
| 485 | return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode); | 485 | return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode); |
| 486 | } | 486 | } |
| 487 | EXPORT_SYMBOL(capable_wrt_inode_uidgid); | 487 | EXPORT_SYMBOL(capable_wrt_inode_uidgid); |
| 488 | |||
| 489 | /** | ||
| 490 | * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace | ||
| 491 | * @tsk: The task that may be ptraced | ||
| 492 | * @ns: The user namespace to search for CAP_SYS_PTRACE in | ||
| 493 | * | ||
| 494 | * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE | ||
| 495 | * in the specified user namespace. | ||
| 496 | */ | ||
| 497 | bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns) | ||
| 498 | { | ||
| 499 | int ret = 0; /* An absent tracer adds no restrictions */ | ||
| 500 | const struct cred *cred; | ||
| 501 | rcu_read_lock(); | ||
| 502 | cred = rcu_dereference(tsk->ptracer_cred); | ||
| 503 | if (cred) | ||
| 504 | ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE); | ||
| 505 | rcu_read_unlock(); | ||
| 506 | return (ret == 0); | ||
| 507 | } | ||