diff options
author | James Morris <jmorris@namei.org> | 2009-01-06 17:21:54 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-01-06 17:21:54 -0500 |
commit | 29881c4502ba05f46bc12ae8053d4e08d7e2615c (patch) | |
tree | 536ea4ac63554e836438bd5f370ddecaa343f1f4 /security/selinux | |
parent | 76f7ba35d4b5219fcc4cb072134c020ec77d030d (diff) |
Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]"
This reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.
David has a better version to come.
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 26 |
1 files changed, 6 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index eb6c45107a05..df30a7555d8a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1433,13 +1433,12 @@ static int current_has_perm(const struct task_struct *tsk, | |||
1433 | 1433 | ||
1434 | /* Check whether a task is allowed to use a capability. */ | 1434 | /* Check whether a task is allowed to use a capability. */ |
1435 | static int task_has_capability(struct task_struct *tsk, | 1435 | static int task_has_capability(struct task_struct *tsk, |
1436 | const struct cred *cred, | ||
1437 | int cap, int audit) | 1436 | int cap, int audit) |
1438 | { | 1437 | { |
1439 | struct avc_audit_data ad; | 1438 | struct avc_audit_data ad; |
1440 | struct av_decision avd; | 1439 | struct av_decision avd; |
1441 | u16 sclass; | 1440 | u16 sclass; |
1442 | u32 sid = cred_sid(cred); | 1441 | u32 sid = task_sid(tsk); |
1443 | u32 av = CAP_TO_MASK(cap); | 1442 | u32 av = CAP_TO_MASK(cap); |
1444 | int rc; | 1443 | int rc; |
1445 | 1444 | ||
@@ -1866,27 +1865,15 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
1866 | return cred_has_perm(old, new, PROCESS__SETCAP); | 1865 | return cred_has_perm(old, new, PROCESS__SETCAP); |
1867 | } | 1866 | } |
1868 | 1867 | ||
1869 | static int selinux_capable(int cap, int audit) | 1868 | static int selinux_capable(struct task_struct *tsk, int cap, int audit) |
1870 | { | ||
1871 | int rc; | ||
1872 | |||
1873 | rc = secondary_ops->capable(cap, audit); | ||
1874 | if (rc) | ||
1875 | return rc; | ||
1876 | |||
1877 | return task_has_capability(current, current_cred(), cap, audit); | ||
1878 | } | ||
1879 | |||
1880 | static int selinux_task_capable(struct task_struct *tsk, | ||
1881 | const struct cred *cred, int cap, int audit) | ||
1882 | { | 1869 | { |
1883 | int rc; | 1870 | int rc; |
1884 | 1871 | ||
1885 | rc = secondary_ops->task_capable(tsk, cred, cap, audit); | 1872 | rc = secondary_ops->capable(tsk, cap, audit); |
1886 | if (rc) | 1873 | if (rc) |
1887 | return rc; | 1874 | return rc; |
1888 | 1875 | ||
1889 | return task_has_capability(tsk, cred, cap, audit); | 1876 | return task_has_capability(tsk, cap, audit); |
1890 | } | 1877 | } |
1891 | 1878 | ||
1892 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) | 1879 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) |
@@ -2050,7 +2037,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) | |||
2050 | { | 2037 | { |
2051 | int rc, cap_sys_admin = 0; | 2038 | int rc, cap_sys_admin = 0; |
2052 | 2039 | ||
2053 | rc = selinux_capable(CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); | 2040 | rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); |
2054 | if (rc == 0) | 2041 | if (rc == 0) |
2055 | cap_sys_admin = 1; | 2042 | cap_sys_admin = 1; |
2056 | 2043 | ||
@@ -2893,7 +2880,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name | |||
2893 | * and lack of permission just means that we fall back to the | 2880 | * and lack of permission just means that we fall back to the |
2894 | * in-core context value, not a denial. | 2881 | * in-core context value, not a denial. |
2895 | */ | 2882 | */ |
2896 | error = selinux_capable(CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); | 2883 | error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); |
2897 | if (!error) | 2884 | if (!error) |
2898 | error = security_sid_to_context_force(isec->sid, &context, | 2885 | error = security_sid_to_context_force(isec->sid, &context, |
2899 | &size); | 2886 | &size); |
@@ -5581,7 +5568,6 @@ static struct security_operations selinux_ops = { | |||
5581 | .capset = selinux_capset, | 5568 | .capset = selinux_capset, |
5582 | .sysctl = selinux_sysctl, | 5569 | .sysctl = selinux_sysctl, |
5583 | .capable = selinux_capable, | 5570 | .capable = selinux_capable, |
5584 | .task_capable = selinux_task_capable, | ||
5585 | .quotactl = selinux_quotactl, | 5571 | .quotactl = selinux_quotactl, |
5586 | .quota_on = selinux_quota_on, | 5572 | .quota_on = selinux_quota_on, |
5587 | .syslog = selinux_syslog, | 5573 | .syslog = selinux_syslog, |