diff options
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/capability.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/kernel/capability.c b/kernel/capability.c index dfa0e4528b0b..4984e1f552eb 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
| @@ -457,6 +457,19 @@ bool file_ns_capable(const struct file *file, struct user_namespace *ns, | |||
| 457 | EXPORT_SYMBOL(file_ns_capable); | 457 | EXPORT_SYMBOL(file_ns_capable); |
| 458 | 458 | ||
| 459 | /** | 459 | /** |
| 460 | * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode? | ||
| 461 | * @ns: The user namespace in question | ||
| 462 | * @inode: The inode in question | ||
| 463 | * | ||
| 464 | * Return true if the inode uid and gid are within the namespace. | ||
| 465 | */ | ||
| 466 | bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode) | ||
| 467 | { | ||
| 468 | return kuid_has_mapping(ns, inode->i_uid) && | ||
| 469 | kgid_has_mapping(ns, inode->i_gid); | ||
| 470 | } | ||
| 471 | |||
| 472 | /** | ||
| 460 | * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped | 473 | * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped |
| 461 | * @inode: The inode in question | 474 | * @inode: The inode in question |
| 462 | * @cap: The capability in question | 475 | * @cap: The capability in question |
| @@ -469,8 +482,7 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) | |||
| 469 | { | 482 | { |
| 470 | struct user_namespace *ns = current_user_ns(); | 483 | struct user_namespace *ns = current_user_ns(); |
| 471 | 484 | ||
| 472 | return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && | 485 | return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode); |
| 473 | kgid_has_mapping(ns, inode->i_gid); | ||
| 474 | } | 486 | } |
| 475 | EXPORT_SYMBOL(capable_wrt_inode_uidgid); | 487 | EXPORT_SYMBOL(capable_wrt_inode_uidgid); |
| 476 | 488 | ||