aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2008-11-13 18:39:14 -0500
committerJames Morris <jmorris@namei.org>2008-11-13 18:39:14 -0500
commit1cdcbec1a3372c0c49c59d292e708fd07b509f18 (patch)
treed1bd302c8d66862da45b494cbc766fb4caa5e23e /security/selinux
parent8bbf4976b59fc9fc2861e79cab7beb3f6d647640 (diff)
CRED: Neuter sys_capset()
Take away the ability for sys_capset() to affect processes other than current. This means that current will not need to lock its own credentials when reading them against interference by other processes. This has effectively been the case for a while anyway, since: (1) Without LSM enabled, sys_capset() is disallowed. (2) With file-based capabilities, sys_capset() is neutered. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 378dc53c08e8..df9986940e9c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1790,22 +1790,22 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1790 return secondary_ops->capget(target, effective, inheritable, permitted); 1790 return secondary_ops->capget(target, effective, inheritable, permitted);
1791} 1791}
1792 1792
1793static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1793static int selinux_capset_check(kernel_cap_t *effective,
1794 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1794 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1795{ 1795{
1796 int error; 1796 int error;
1797 1797
1798 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1798 error = secondary_ops->capset_check(effective, inheritable, permitted);
1799 if (error) 1799 if (error)
1800 return error; 1800 return error;
1801 1801
1802 return task_has_perm(current, target, PROCESS__SETCAP); 1802 return task_has_perm(current, current, PROCESS__SETCAP);
1803} 1803}
1804 1804
1805static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1805static void selinux_capset_set(kernel_cap_t *effective,
1806 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1806 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1807{ 1807{
1808 secondary_ops->capset_set(target, effective, inheritable, permitted); 1808 secondary_ops->capset_set(effective, inheritable, permitted);
1809} 1809}
1810 1810
1811static int selinux_capable(struct task_struct *tsk, int cap, int audit) 1811static int selinux_capable(struct task_struct *tsk, int cap, int audit)