diff options
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index a93b3b73307..e508e2b170a 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -29,6 +29,10 @@ | |||
| 29 | #include <linux/securebits.h> | 29 | #include <linux/securebits.h> |
| 30 | #include <linux/user_namespace.h> | 30 | #include <linux/user_namespace.h> |
| 31 | 31 | ||
| 32 | #ifdef CONFIG_ANDROID_PARANOID_NETWORK | ||
| 33 | #include <linux/android_aid.h> | ||
| 34 | #endif | ||
| 35 | |||
| 32 | /* | 36 | /* |
| 33 | * If a non-root user executes a setuid-root binary in | 37 | * If a non-root user executes a setuid-root binary in |
| 34 | * !secure(SECURE_NOROOT) mode, then we raise capabilities. | 38 | * !secure(SECURE_NOROOT) mode, then we raise capabilities. |
| @@ -83,6 +87,12 @@ EXPORT_SYMBOL(cap_netlink_recv); | |||
| 83 | int cap_capable(struct task_struct *tsk, const struct cred *cred, | 87 | int cap_capable(struct task_struct *tsk, const struct cred *cred, |
| 84 | struct user_namespace *targ_ns, int cap, int audit) | 88 | struct user_namespace *targ_ns, int cap, int audit) |
| 85 | { | 89 | { |
| 90 | #ifdef CONFIG_ANDROID_PARANOID_NETWORK | ||
| 91 | if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) | ||
| 92 | return 0; | ||
| 93 | if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) | ||
| 94 | return 0; | ||
| 95 | #endif | ||
| 86 | for (;;) { | 96 | for (;;) { |
| 87 | /* The creator of the user namespace has all caps. */ | 97 | /* The creator of the user namespace has all caps. */ |
| 88 | if (targ_ns != &init_user_ns && targ_ns->creator == cred->user) | 98 | if (targ_ns != &init_user_ns && targ_ns->creator == cred->user) |