aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2009-01-06 17:21:54 -0500
committerJames Morris <jmorris@namei.org>2009-01-06 17:21:54 -0500
commit29881c4502ba05f46bc12ae8053d4e08d7e2615c (patch)
tree536ea4ac63554e836438bd5f370ddecaa343f1f4 /security/selinux
parent76f7ba35d4b5219fcc4cb072134c020ec77d030d (diff)
Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]"
This reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8. David has a better version to come.
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c26
1 files changed, 6 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index eb6c45107a05..df30a7555d8a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1433,13 +1433,12 @@ static int current_has_perm(const struct task_struct *tsk,
1433 1433
1434/* Check whether a task is allowed to use a capability. */ 1434/* Check whether a task is allowed to use a capability. */
1435static int task_has_capability(struct task_struct *tsk, 1435static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1437 int cap, int audit) 1436 int cap, int audit)
1438{ 1437{
1439 struct avc_audit_data ad; 1438 struct avc_audit_data ad;
1440 struct av_decision avd; 1439 struct av_decision avd;
1441 u16 sclass; 1440 u16 sclass;
1442 u32 sid = cred_sid(cred); 1441 u32 sid = task_sid(tsk);
1443 u32 av = CAP_TO_MASK(cap); 1442 u32 av = CAP_TO_MASK(cap);
1444 int rc; 1443 int rc;
1445 1444
@@ -1866,27 +1865,15 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1866 return cred_has_perm(old, new, PROCESS__SETCAP); 1865 return cred_has_perm(old, new, PROCESS__SETCAP);
1867} 1866}
1868 1867
1869static int selinux_capable(int cap, int audit) 1868static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1870{
1871 int rc;
1872
1873 rc = secondary_ops->capable(cap, audit);
1874 if (rc)
1875 return rc;
1876
1877 return task_has_capability(current, current_cred(), cap, audit);
1878}
1879
1880static int selinux_task_capable(struct task_struct *tsk,
1881 const struct cred *cred, int cap, int audit)
1882{ 1869{
1883 int rc; 1870 int rc;
1884 1871
1885 rc = secondary_ops->task_capable(tsk, cred, cap, audit); 1872 rc = secondary_ops->capable(tsk, cap, audit);
1886 if (rc) 1873 if (rc)
1887 return rc; 1874 return rc;
1888 1875
1889 return task_has_capability(tsk, cred, cap, audit); 1876 return task_has_capability(tsk, cap, audit);
1890} 1877}
1891 1878
1892static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1879static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -2050,7 +2037,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2050{ 2037{
2051 int rc, cap_sys_admin = 0; 2038 int rc, cap_sys_admin = 0;
2052 2039
2053 rc = selinux_capable(CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); 2040 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2054 if (rc == 0) 2041 if (rc == 0)
2055 cap_sys_admin = 1; 2042 cap_sys_admin = 1;
2056 2043
@@ -2893,7 +2880,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2893 * and lack of permission just means that we fall back to the 2880 * and lack of permission just means that we fall back to the
2894 * in-core context value, not a denial. 2881 * in-core context value, not a denial.
2895 */ 2882 */
2896 error = selinux_capable(CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); 2883 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2897 if (!error) 2884 if (!error)
2898 error = security_sid_to_context_force(isec->sid, &context, 2885 error = security_sid_to_context_force(isec->sid, &context,
2899 &size); 2886 &size);
@@ -5581,7 +5568,6 @@ static struct security_operations selinux_ops = {
5581 .capset = selinux_capset, 5568 .capset = selinux_capset,
5582 .sysctl = selinux_sysctl, 5569 .sysctl = selinux_sysctl,
5583 .capable = selinux_capable, 5570 .capable = selinux_capable,
5584 .task_capable = selinux_task_capable,
5585 .quotactl = selinux_quotactl, 5571 .quotactl = selinux_quotactl,
5586 .quota_on = selinux_quota_on, 5572 .quota_on = selinux_quota_on,
5587 .syslog = selinux_syslog, 5573 .syslog = selinux_syslog,