1 files changed, 9 insertions, 9 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d98e1d8d18f6..b2ee49f938f1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1578,7 +1578,7 @@ static inline u32 signal_to_av(int sig)
 /* Check whether a task is allowed to use a capability. */
 static int cred_has_capability(const struct cred *cred,
-                               int cap, int audit, bool initns)
+                               int cap, unsigned int opts, bool initns)
 {
        struct common_audit_data ad;
        struct av_decision avd;
@@ -1605,7 +1605,7 @@ static int cred_has_capability(const struct cred *cred,
        rc = avc_has_perm_noaudit(&selinux_state,
                                  sid, sid, sclass, av, 0, &avd);
-        if (audit == SECURITY_CAP_AUDIT) {
+        if (!(opts & CAP_OPT_NOAUDIT)) {
                int rc2 = avc_audit(&selinux_state,
                                    sid, sid, sclass, av, &avd, rc, &ad, 0);
                if (rc2)
@@ -2125,9 +2125,9 @@ static int selinux_capset(struct cred *new, const struct cred *old,
 */
 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
-                           int cap, int audit)
+                           int cap, unsigned int opts)
 {
-        return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
+        return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
 }
 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
@@ -2201,7 +2201,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
        int rc, cap_sys_admin = 0;
        rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
-                                 SECURITY_CAP_NOAUDIT, true);
+                                 CAP_OPT_NOAUDIT, true);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2988,11 +2988,11 @@ static int selinux_inode_getattr(const struct path *path)
 static bool has_cap_mac_admin(bool audit)
 {
        const struct cred *cred = current_cred();
-        int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
+        unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
-        if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
+        if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
                return false;
-        if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
+        if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
                return false;
        return true;
 }
@@ -3387,7 +3387,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
        case KDSKBENT:
        case KDSKBSENT:
                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
-                                            SECURITY_CAP_AUDIT, true);
+                                            CAP_OPT_NONE, true);
                break;
        /* default case assumes that the command will go

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d98e1d8d18f6..b2ee49f938f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1578,7 +1578,7 @@ static inline u32 signal_to_av(int sig)
1578		1578
1579	/* Check whether a task is allowed to use a capability. */	1579	/* Check whether a task is allowed to use a capability. */
1580	static int cred_has_capability(const struct cred *cred,	1580	static int cred_has_capability(const struct cred *cred,
1581	int cap, int audit, bool initns)	1581	int cap, unsigned int opts, bool initns)
1582	{	1582	{
1583	struct common_audit_data ad;	1583	struct common_audit_data ad;
1584	struct av_decision avd;	1584	struct av_decision avd;
@@ -1605,7 +1605,7 @@ static int cred_has_capability(const struct cred *cred,
1605		1605
1606	rc = avc_has_perm_noaudit(&selinux_state,	1606	rc = avc_has_perm_noaudit(&selinux_state,
1607	sid, sid, sclass, av, 0, &avd);	1607	sid, sid, sclass, av, 0, &avd);
1608	if (audit == SECURITY_CAP_AUDIT) {	1608	if (!(opts & CAP_OPT_NOAUDIT)) {
1609	int rc2 = avc_audit(&selinux_state,	1609	int rc2 = avc_audit(&selinux_state,
1610	sid, sid, sclass, av, &avd, rc, &ad, 0);	1610	sid, sid, sclass, av, &avd, rc, &ad, 0);
1611	if (rc2)	1611	if (rc2)
@@ -2125,9 +2125,9 @@ static int selinux_capset(struct cred new, const struct cred old,
2125	*/	2125	*/
2126		2126
2127	static int selinux_capable(const struct cred cred, struct user_namespace ns,	2127	static int selinux_capable(const struct cred cred, struct user_namespace ns,
2128	int cap, int audit)	2128	int cap, unsigned int opts)
2129	{	2129	{
2130	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);	2130	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2131	}	2131	}
2132		2132
2133	static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)	2133	static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
@@ -2201,7 +2201,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2201	int rc, cap_sys_admin = 0;	2201	int rc, cap_sys_admin = 0;
2202		2202
2203	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,	2203	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2204	SECURITY_CAP_NOAUDIT, true);	2204	CAP_OPT_NOAUDIT, true);
2205	if (rc == 0)	2205	if (rc == 0)
2206	cap_sys_admin = 1;	2206	cap_sys_admin = 1;
2207		2207
@@ -2988,11 +2988,11 @@ static int selinux_inode_getattr(const struct path *path)
2988	static bool has_cap_mac_admin(bool audit)	2988	static bool has_cap_mac_admin(bool audit)
2989	{	2989	{
2990	const struct cred *cred = current_cred();	2990	const struct cred *cred = current_cred();
2991	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;	2991	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
2992		2992
2993	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))	2993	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
2994	return false;	2994	return false;
2995	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))	2995	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
2996	return false;	2996	return false;
2997	return true;	2997	return true;
2998	}	2998	}
@@ -3387,7 +3387,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3387	case KDSKBENT:	3387	case KDSKBENT:
3388	case KDSKBSENT:	3388	case KDSKBSENT:
3389	error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,	3389	error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3390	SECURITY_CAP_AUDIT, true);	3390	CAP_OPT_NONE, true);
3391	break;	3391	break;
3392		3392
3393	/* default case assumes that the command will go	3393	/* default case assumes that the command will go