diff options
author | Eric Paris <eparis@redhat.com> | 2012-01-03 12:25:15 -0500 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2012-01-05 18:52:57 -0500 |
commit | 7b61d648499e74dbec3d4ce645675e0ae040ae78 (patch) | |
tree | dbf56a4e0cf344d22ac4deb71bb1a83ef02526e5 /kernel/capability.c | |
parent | 25e75703410a84b80623da3653db6b70282e5c6a (diff) |
capabilites: introduce new has_ns_capabilities_noaudit
For consistency in interfaces, introduce a new interface called
has_ns_capabilities_noaudit. It checks if the given task has the given
capability in the given namespace. Use this new function by
has_capabilities_noaudit.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Diffstat (limited to 'kernel/capability.c')
-rw-r--r-- | kernel/capability.c | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/kernel/capability.c b/kernel/capability.c index fb815d1b9ea2..d8398e962470 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
@@ -325,28 +325,48 @@ bool has_capability(struct task_struct *t, int cap) | |||
325 | } | 325 | } |
326 | 326 | ||
327 | /** | 327 | /** |
328 | * has_capability_noaudit - Does a task have a capability (unaudited) | 328 | * has_ns_capability_noaudit - Does a task have a capability (unaudited) |
329 | * in a specific user ns. | ||
329 | * @t: The task in question | 330 | * @t: The task in question |
331 | * @ns: target user namespace | ||
330 | * @cap: The capability to be tested for | 332 | * @cap: The capability to be tested for |
331 | * | 333 | * |
332 | * Return true if the specified task has the given superior capability | 334 | * Return true if the specified task has the given superior capability |
333 | * currently in effect to init_user_ns, false if not. Don't write an | 335 | * currently in effect to the specified user namespace, false if not. |
334 | * audit message for the check. | 336 | * Do not write an audit message for the check. |
335 | * | 337 | * |
336 | * Note that this does not set PF_SUPERPRIV on the task. | 338 | * Note that this does not set PF_SUPERPRIV on the task. |
337 | */ | 339 | */ |
338 | bool has_capability_noaudit(struct task_struct *t, int cap) | 340 | bool has_ns_capability_noaudit(struct task_struct *t, |
341 | struct user_namespace *ns, int cap) | ||
339 | { | 342 | { |
340 | int ret; | 343 | int ret; |
341 | 344 | ||
342 | rcu_read_lock(); | 345 | rcu_read_lock(); |
343 | ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap); | 346 | ret = security_capable_noaudit(__task_cred(t), ns, cap); |
344 | rcu_read_unlock(); | 347 | rcu_read_unlock(); |
345 | 348 | ||
346 | return (ret == 0); | 349 | return (ret == 0); |
347 | } | 350 | } |
348 | 351 | ||
349 | /** | 352 | /** |
353 | * has_capability_noaudit - Does a task have a capability (unaudited) in the | ||
354 | * initial user ns | ||
355 | * @t: The task in question | ||
356 | * @cap: The capability to be tested for | ||
357 | * | ||
358 | * Return true if the specified task has the given superior capability | ||
359 | * currently in effect to init_user_ns, false if not. Don't write an | ||
360 | * audit message for the check. | ||
361 | * | ||
362 | * Note that this does not set PF_SUPERPRIV on the task. | ||
363 | */ | ||
364 | bool has_capability_noaudit(struct task_struct *t, int cap) | ||
365 | { | ||
366 | return has_ns_capability_noaudit(t, &init_user_ns, cap); | ||
367 | } | ||
368 | |||
369 | /** | ||
350 | * capable - Determine if the current task has a superior capability in effect | 370 | * capable - Determine if the current task has a superior capability in effect |
351 | * @cap: The capability to be tested for | 371 | * @cap: The capability to be tested for |
352 | * | 372 | * |