diff options
| author | James Morris <jmorris@namei.org> | 2009-01-06 17:21:54 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-01-06 17:21:54 -0500 |
| commit | 29881c4502ba05f46bc12ae8053d4e08d7e2615c (patch) | |
| tree | 536ea4ac63554e836438bd5f370ddecaa343f1f4 /include/linux/security.h | |
| parent | 76f7ba35d4b5219fcc4cb072134c020ec77d030d (diff) | |
Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]"
This reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.
David has a better version to come.
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 49 |
1 files changed, 9 insertions, 40 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 76989b8bc34f..3416cb85e77b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -48,9 +48,7 @@ struct audit_krule; | |||
| 48 | * These functions are in security/capability.c and are used | 48 | * These functions are in security/capability.c and are used |
| 49 | * as the default capabilities functions | 49 | * as the default capabilities functions |
| 50 | */ | 50 | */ |
| 51 | extern int cap_capable(int cap, int audit); | 51 | extern int cap_capable(struct task_struct *tsk, int cap, int audit); |
| 52 | extern int cap_task_capable(struct task_struct *tsk, const struct cred *cred, | ||
| 53 | int cap, int audit); | ||
| 54 | extern int cap_settime(struct timespec *ts, struct timezone *tz); | 52 | extern int cap_settime(struct timespec *ts, struct timezone *tz); |
| 55 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); | 53 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); |
| 56 | extern int cap_ptrace_traceme(struct task_struct *parent); | 54 | extern int cap_ptrace_traceme(struct task_struct *parent); |
| @@ -1197,18 +1195,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 1197 | * @permitted contains the permitted capability set. | 1195 | * @permitted contains the permitted capability set. |
| 1198 | * Return 0 and update @new if permission is granted. | 1196 | * Return 0 and update @new if permission is granted. |
| 1199 | * @capable: | 1197 | * @capable: |
| 1200 | * Check whether the current process has the @cap capability in its | 1198 | * Check whether the @tsk process has the @cap capability. |
| 1201 | * subjective/effective credentials. | ||
| 1202 | * @cap contains the capability <include/linux/capability.h>. | ||
| 1203 | * @audit: Whether to write an audit message or not | ||
| 1204 | * Return 0 if the capability is granted for @tsk. | ||
| 1205 | * @task_capable: | ||
| 1206 | * Check whether the @tsk process has the @cap capability in its | ||
| 1207 | * objective/real credentials. | ||
| 1208 | * @tsk contains the task_struct for the process. | 1199 | * @tsk contains the task_struct for the process. |
| 1209 | * @cred contains the credentials to use. | ||
| 1210 | * @cap contains the capability <include/linux/capability.h>. | 1200 | * @cap contains the capability <include/linux/capability.h>. |
| 1211 | * @audit: Whether to write an audit message or not | ||
| 1212 | * Return 0 if the capability is granted for @tsk. | 1201 | * Return 0 if the capability is granted for @tsk. |
| 1213 | * @acct: | 1202 | * @acct: |
| 1214 | * Check permission before enabling or disabling process accounting. If | 1203 | * Check permission before enabling or disabling process accounting. If |
| @@ -1301,9 +1290,7 @@ struct security_operations { | |||
| 1301 | const kernel_cap_t *effective, | 1290 | const kernel_cap_t *effective, |
| 1302 | const kernel_cap_t *inheritable, | 1291 | const kernel_cap_t *inheritable, |
| 1303 | const kernel_cap_t *permitted); | 1292 | const kernel_cap_t *permitted); |
| 1304 | int (*capable) (int cap, int audit); | 1293 | int (*capable) (struct task_struct *tsk, int cap, int audit); |
| 1305 | int (*task_capable) (struct task_struct *tsk, const struct cred *cred, | ||
| 1306 | int cap, int audit); | ||
| 1307 | int (*acct) (struct file *file); | 1294 | int (*acct) (struct file *file); |
| 1308 | int (*sysctl) (struct ctl_table *table, int op); | 1295 | int (*sysctl) (struct ctl_table *table, int op); |
| 1309 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); | 1296 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); |
| @@ -1569,9 +1556,8 @@ int security_capset(struct cred *new, const struct cred *old, | |||
| 1569 | const kernel_cap_t *effective, | 1556 | const kernel_cap_t *effective, |
| 1570 | const kernel_cap_t *inheritable, | 1557 | const kernel_cap_t *inheritable, |
| 1571 | const kernel_cap_t *permitted); | 1558 | const kernel_cap_t *permitted); |
| 1572 | int security_capable(int cap); | 1559 | int security_capable(struct task_struct *tsk, int cap); |
| 1573 | int security_task_capable(struct task_struct *tsk, int cap); | 1560 | int security_capable_noaudit(struct task_struct *tsk, int cap); |
| 1574 | int security_task_capable_noaudit(struct task_struct *tsk, int cap); | ||
| 1575 | int security_acct(struct file *file); | 1561 | int security_acct(struct file *file); |
| 1576 | int security_sysctl(struct ctl_table *table, int op); | 1562 | int security_sysctl(struct ctl_table *table, int op); |
| 1577 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); | 1563 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); |
| @@ -1768,31 +1754,14 @@ static inline int security_capset(struct cred *new, | |||
| 1768 | return cap_capset(new, old, effective, inheritable, permitted); | 1754 | return cap_capset(new, old, effective, inheritable, permitted); |
| 1769 | } | 1755 | } |
| 1770 | 1756 | ||
| 1771 | static inline int security_capable(int cap) | 1757 | static inline int security_capable(struct task_struct *tsk, int cap) |
| 1772 | { | 1758 | { |
| 1773 | return cap_capable(cap, SECURITY_CAP_AUDIT); | 1759 | return cap_capable(tsk, cap, SECURITY_CAP_AUDIT); |
| 1774 | } | 1760 | } |
| 1775 | 1761 | ||
| 1776 | static inline int security_task_capable(struct task_struct *tsk, int cap) | 1762 | static inline int security_capable_noaudit(struct task_struct *tsk, int cap) |
| 1777 | { | 1763 | { |
| 1778 | int ret; | 1764 | return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT); |
| 1779 | |||
| 1780 | rcu_read_lock(); | ||
| 1781 | ret = cap_task_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT); | ||
| 1782 | rcu_read_unlock(); | ||
| 1783 | return ret; | ||
| 1784 | } | ||
| 1785 | |||
| 1786 | static inline | ||
| 1787 | int security_task_capable_noaudit(struct task_struct *tsk, int cap) | ||
| 1788 | { | ||
| 1789 | int ret; | ||
| 1790 | |||
| 1791 | rcu_read_lock(); | ||
| 1792 | ret = cap_task_capable(tsk, __task_cred(tsk), cap, | ||
| 1793 | SECURITY_CAP_NOAUDIT); | ||
| 1794 | rcu_read_unlock(); | ||
| 1795 | return ret; | ||
| 1796 | } | 1765 | } |
| 1797 | 1766 | ||
| 1798 | static inline int security_acct(struct file *file) | 1767 | static inline int security_acct(struct file *file) |