14 files changed, 10 insertions, 58 deletions

diff --git a/drivers/scsi/scsi_netlink.c b/drivers/scsi/scsi_netlink.c
index 26a8a45584ef..feee1cc39ea0 100644
--- a/drivers/scsi/scsi_netlink.c
+++ b/drivers/scsi/scsi_netlink.c
@@ -111,7 +111,7 @@ scsi_nl_rcv_msg(struct sk_buff *skb)
                         goto next_msg;
                 }
 
-                if (security_netlink_recv(skb, CAP_SYS_ADMIN)) {
+                if (!capable(CAP_SYS_ADMIN)) {
                         err = -EPERM;
                         goto next_msg;
                 }
diff --git a/include/linux/security.h b/include/linux/security.h
index e345a9313a60..ba2d531c123f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -95,7 +95,6 @@ struct xfrm_user_sec_ctx;
 struct seq_file;
 
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
-extern int cap_netlink_recv(struct sk_buff *skb, int cap);
 
 void reset_security_ops(void);
 
@@ -792,12 +791,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      @skb contains the sk_buff structure for the netlink message.
  *      Return 0 if the information was successfully saved and message
  *      is allowed to be transmitted.
- * @netlink_recv:
- *      Check permission before processing the received netlink message in
- *      @skb.
- *      @skb contains the sk_buff structure for the netlink message.
- *      @cap indicates the capability required
- *      Return 0 if permission is granted.
  *
  * Security hooks for Unix domain networking.
  *
@@ -1556,7 +1549,6 @@ struct security_operations {
                           struct sembuf *sops, unsigned nsops, int alter);
 
         int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
-        int (*netlink_recv) (struct sk_buff *skb, int cap);
 
         void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
 
@@ -1803,7 +1795,6 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
 int security_getprocattr(struct task_struct *p, char *name, char **value);
 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
-int security_netlink_recv(struct sk_buff *skb, int cap);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
@@ -2478,11 +2469,6 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
         return cap_netlink_send(sk, skb);
 }
 
-static inline int security_netlink_recv(struct sk_buff *skb, int cap)
-{
-        return cap_netlink_recv(skb, cap);
-}
-
 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
         return -EOPNOTSUPP;
diff --git a/kernel/audit.c b/kernel/audit.c
index 0a1355ca3d79..f3ba55fa0b70 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -601,13 +601,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
         case AUDIT_TTY_SET:
         case AUDIT_TRIM:
         case AUDIT_MAKE_EQUIV:
-                if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
+                if (!capable(CAP_AUDIT_CONTROL))
                         err = -EPERM;
                 break;
         case AUDIT_USER:
         case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
         case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
-                if (security_netlink_recv(skb, CAP_AUDIT_WRITE))
+                if (!capable(CAP_AUDIT_WRITE))
                         err = -EPERM;
                 break;
         default:  /* bad msg */
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 99d9e953fe39..d3a628196716 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1931,7 +1931,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
         sz_idx = type>>2;
         kind = type&3;
 
-        if (kind != 2 && security_netlink_recv(skb, CAP_NET_ADMIN))
+        if (kind != 2 && !capable(CAP_NET_ADMIN))
                 return -EPERM;
 
         if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 69975e0bcdea..1531135130db 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -108,7 +108,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
         if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
                 return;
 
-        if (security_netlink_recv(skb, CAP_NET_ADMIN))
+        if (!capable(CAP_NET_ADMIN))
                 RCV_SKB_FAIL(-EPERM);
 
         /* Eventually we might send routing messages too */
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index e59aabd0eae4..ffabb2674718 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -430,7 +430,7 @@ __ipq_rcv_skb(struct sk_buff *skb)
         if (type <= IPQM_BASE)
                 return;
 
-        if (security_netlink_recv(skb, CAP_NET_ADMIN))
+        if (!capable(CAP_NET_ADMIN))
                 RCV_SKB_FAIL(-EPERM);
 
         spin_lock_bh(&queue_lock);
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index e63c3972a739..5e5ce778be7f 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -431,7 +431,7 @@ __ipq_rcv_skb(struct sk_buff *skb)
         if (type <= IPQM_BASE)
                 return;
 
-        if (security_netlink_recv(skb, CAP_NET_ADMIN))
+        if (!capable(CAP_NET_ADMIN))
                 RCV_SKB_FAIL(-EPERM);
 
         spin_lock_bh(&queue_lock);
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 1905976b5135..e6c2b8f32180 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -130,7 +130,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
         const struct nfnetlink_subsystem *ss;
         int type, err;
 
-        if (security_netlink_recv(skb, CAP_NET_ADMIN))
+        if (!capable(CAP_NET_ADMIN))
                 return -EPERM;
 
         /* All the messages must at least contain nfgenmsg */
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 482fa571b4ee..05fedbf489a5 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -516,7 +516,7 @@ static int genl_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 return -EOPNOTSUPP;
 
         if ((ops->flags & GENL_ADMIN_PERM) &&
-            security_netlink_recv(skb, CAP_NET_ADMIN))
+            !capable(CAP_NET_ADMIN))
                 return -EPERM;
 
         if (nlh->nlmsg_flags & NLM_F_DUMP) {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 0256b8a0a7cf..71de86698efa 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2290,7 +2290,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
         link = &xfrm_dispatch[type];
 
         /* All operations require privileges, even GET */
-        if (security_netlink_recv(skb, CAP_NET_ADMIN))
+        if (!capable(CAP_NET_ADMIN))
                 return -EPERM;
 
         if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
diff --git a/security/capability.c b/security/capability.c
index 2984ea4f776f..a2c064d10448 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -999,7 +999,6 @@ void __init security_fixup_ops(struct security_operations *ops)
         set_to_cap_if_null(ops, sem_semctl);
         set_to_cap_if_null(ops, sem_semop);
         set_to_cap_if_null(ops, netlink_send);
-        set_to_cap_if_null(ops, netlink_recv);
         set_to_cap_if_null(ops, d_instantiate);
         set_to_cap_if_null(ops, getprocattr);
         set_to_cap_if_null(ops, setprocattr);
diff --git a/security/commoncap.c b/security/commoncap.c
index 89f02ff66af9..7817a763444d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -56,14 +56,6 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
         return 0;
 }
 
-int cap_netlink_recv(struct sk_buff *skb, int cap)
-{
-        if (!cap_raised(current_cap(), cap))
-                return -EPERM;
-        return 0;
-}
-EXPORT_SYMBOL(cap_netlink_recv);
-
 /**
  * cap_capable - Determine whether a task has a particular effective capability
  * @cred: The credentials to use
diff --git a/security/security.c b/security/security.c
index 8900c5c4db5c..85481a9c5632 100644
--- a/security/security.c
+++ b/security/security.c
@@ -922,12 +922,6 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
         return security_ops->netlink_send(sk, skb);
 }
 
-int security_netlink_recv(struct sk_buff *skb, int cap)
-{
-        return security_ops->netlink_recv(skb, cap);
-}
-EXPORT_SYMBOL(security_netlink_recv);
-
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
         return security_ops->secid_to_secctx(secid, secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 14f94cd29c80..3e37d25a9bbe 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4713,24 +4713,6 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
         return selinux_nlmsg_perm(sk, skb);
 }
 
-static int selinux_netlink_recv(struct sk_buff *skb, int capability)
-{
-        int err;
-        struct common_audit_data ad;
-        u32 sid;
-
-        err = cap_netlink_recv(skb, capability);
-        if (err)
-                return err;
-
-        COMMON_AUDIT_DATA_INIT(&ad, CAP);
-        ad.u.cap = capability;
-
-        security_task_getsecid(current, &sid);
-        return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
-                            CAP_TO_MASK(capability), &ad);
-}
-
 static int ipc_alloc_security(struct task_struct *task,
                               struct kern_ipc_perm *perm,
                               u16 sclass)
@@ -5459,7 +5441,6 @@ static struct security_operations selinux_ops = {
         .vm_enough_memory =             selinux_vm_enough_memory,
 
         .netlink_send =                 selinux_netlink_send,
-        .netlink_recv =                 selinux_netlink_recv,
 
         .bprm_set_creds =               selinux_bprm_set_creds,
         .bprm_committing_creds =        selinux_bprm_committing_creds,