groups: Consolidate the setgroups permission checks

Today there are 3 instances of setgroups and due to an oversight their
permission checking has diverged.  Add a common function so that
they may all share the same permission checking code.

This corrects the current oversight in the current permission checks
and adds a helper to avoid this in the future.

A user namespace security fix will update this new helper, shortly.

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

2 files changed, 9 insertions, 2 deletions

diff --git a/kernel/groups.c b/kernel/groups.c
index 451698f86cfa..02d8a251c476 100644
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -213,6 +213,13 @@ out:
         return i;
 }
 
+bool may_setgroups(void)
+{
+        struct user_namespace *user_ns = current_user_ns();
+
+        return ns_capable(user_ns, CAP_SETGID);
+}
+
 /*
  *      SMP: Our groups are copy-on-write. We can set them safely
  *      without another task interfering.
@@ -223,7 +230,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
         struct group_info *group_info;
         int retval;
 
-        if (!ns_capable(current_user_ns(), CAP_SETGID))
+        if (!may_setgroups())
                 return -EPERM;
         if ((unsigned)gidsetsize > NGROUPS_MAX)
                 return -EINVAL;
diff --git a/kernel/uid16.c b/kernel/uid16.c
index 602e5bbbceff..d58cc4d8f0d1 100644
--- a/kernel/uid16.c
+++ b/kernel/uid16.c
@@ -176,7 +176,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
         struct group_info *group_info;
         int retval;
 
-        if (!ns_capable(current_user_ns(), CAP_SETGID))
+        if (!may_setgroups())
                 return -EPERM;
         if ((unsigned)gidsetsize > NGROUPS_MAX)
                 return -EINVAL;