aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/capability.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-01-03 12:25:15 -0500
committerEric Paris <eparis@redhat.com>2012-01-05 18:52:57 -0500
commit7b61d648499e74dbec3d4ce645675e0ae040ae78 (patch)
treedbf56a4e0cf344d22ac4deb71bb1a83ef02526e5 /kernel/capability.c
parent25e75703410a84b80623da3653db6b70282e5c6a (diff)
capabilites: introduce new has_ns_capabilities_noaudit
For consistency in interfaces, introduce a new interface called has_ns_capabilities_noaudit. It checks if the given task has the given capability in the given namespace. Use this new function by has_capabilities_noaudit. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Diffstat (limited to 'kernel/capability.c')
-rw-r--r--kernel/capability.c30
1 files changed, 25 insertions, 5 deletions
diff --git a/kernel/capability.c b/kernel/capability.c
index fb815d1b9ea2..d8398e962470 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -325,28 +325,48 @@ bool has_capability(struct task_struct *t, int cap)
325} 325}
326 326
327/** 327/**
328 * has_capability_noaudit - Does a task have a capability (unaudited) 328 * has_ns_capability_noaudit - Does a task have a capability (unaudited)
329 * in a specific user ns.
329 * @t: The task in question 330 * @t: The task in question
331 * @ns: target user namespace
330 * @cap: The capability to be tested for 332 * @cap: The capability to be tested for
331 * 333 *
332 * Return true if the specified task has the given superior capability 334 * Return true if the specified task has the given superior capability
333 * currently in effect to init_user_ns, false if not. Don't write an 335 * currently in effect to the specified user namespace, false if not.
334 * audit message for the check. 336 * Do not write an audit message for the check.
335 * 337 *
336 * Note that this does not set PF_SUPERPRIV on the task. 338 * Note that this does not set PF_SUPERPRIV on the task.
337 */ 339 */
338bool has_capability_noaudit(struct task_struct *t, int cap) 340bool has_ns_capability_noaudit(struct task_struct *t,
341 struct user_namespace *ns, int cap)
339{ 342{
340 int ret; 343 int ret;
341 344
342 rcu_read_lock(); 345 rcu_read_lock();
343 ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap); 346 ret = security_capable_noaudit(__task_cred(t), ns, cap);
344 rcu_read_unlock(); 347 rcu_read_unlock();
345 348
346 return (ret == 0); 349 return (ret == 0);
347} 350}
348 351
349/** 352/**
353 * has_capability_noaudit - Does a task have a capability (unaudited) in the
354 * initial user ns
355 * @t: The task in question
356 * @cap: The capability to be tested for
357 *
358 * Return true if the specified task has the given superior capability
359 * currently in effect to init_user_ns, false if not. Don't write an
360 * audit message for the check.
361 *
362 * Note that this does not set PF_SUPERPRIV on the task.
363 */
364bool has_capability_noaudit(struct task_struct *t, int cap)
365{
366 return has_ns_capability_noaudit(t, &init_user_ns, cap);
367}
368
369/**
350 * capable - Determine if the current task has a superior capability in effect 370 * capable - Determine if the current task has a superior capability in effect
351 * @cap: The capability to be tested for 371 * @cap: The capability to be tested for
352 * 372 *