5 files changed, 31 insertions, 39 deletions

diff --git a/include/linux/security.h b/include/linux/security.h
index ebd2a53a3d07..4921163b2752 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,8 +53,8 @@ struct user_namespace;
  * These functions are in security/capability.c and are used
  * as the default capabilities functions
  */
-extern int cap_capable(struct task_struct *tsk, const struct cred *cred,
-                       struct user_namespace *ns, int cap, int audit);
+extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
+                       int cap, int audit);
 extern int cap_settime(const struct timespec *ts, const struct timezone *tz);
 extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode);
 extern int cap_ptrace_traceme(struct task_struct *parent);
@@ -1261,7 +1261,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  * @capable:
  *      Check whether the @tsk process has the @cap capability in the indicated
  *      credentials.
- *      @tsk contains the task_struct for the process.
  *      @cred contains the credentials to use.
  *      @ns contains the user namespace we want the capability in
  *      @cap contains the capability <include/linux/capability.h>.
@@ -1385,8 +1384,8 @@ struct security_operations {
                        const kernel_cap_t *effective,
                        const kernel_cap_t *inheritable,
                        const kernel_cap_t *permitted);
-        int (*capable) (struct task_struct *tsk, const struct cred *cred,
-                        struct user_namespace *ns, int cap, int audit);
+        int (*capable) (const struct cred *cred, struct user_namespace *ns,
+                        int cap, int audit);
         int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
         int (*quota_on) (struct dentry *dentry);
         int (*syslog) (int type);
@@ -1867,7 +1866,7 @@ static inline int security_capset(struct cred *new,
 static inline int security_capable(struct user_namespace *ns,
                                    const struct cred *cred, int cap)
 {
-        return cap_capable(current, cred, ns, cap, SECURITY_CAP_AUDIT);
+        return cap_capable(cred, ns, cap, SECURITY_CAP_AUDIT);
 }
 
 static inline int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, int cap)
@@ -1875,7 +1874,7 @@ static inline int security_real_capable(struct task_struct *tsk, struct user_nam
         int ret;
 
         rcu_read_lock();
-        ret = cap_capable(tsk, __task_cred(tsk), ns, cap, SECURITY_CAP_AUDIT);
+        ret = cap_capable(__task_cred(tsk), ns, cap, SECURITY_CAP_AUDIT);
         rcu_read_unlock();
         return ret;
 }
@@ -1886,8 +1885,7 @@ int security_real_capable_noaudit(struct task_struct *tsk, struct user_namespace
         int ret;
 
         rcu_read_lock();
-        ret = cap_capable(tsk, __task_cred(tsk), ns, cap,
-                               SECURITY_CAP_NOAUDIT);
+        ret = cap_capable(__task_cred(tsk), ns, cap, SECURITY_CAP_NOAUDIT);
         rcu_read_unlock();
         return ret;
 }
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 37832026e58a..ef4e2a8a33a5 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -136,16 +136,16 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
         return 0;
 }
 
-static int apparmor_capable(struct task_struct *task, const struct cred *cred,
-                            struct user_namespace *ns, int cap, int audit)
+static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
+                            int cap, int audit)
 {
         struct aa_profile *profile;
         /* cap_capable returns 0 on success, else -EPERM */
-        int error = cap_capable(task, cred, ns, cap, audit);
+        int error = cap_capable(cred, ns, cap, audit);
         if (!error) {
                 profile = aa_cred_profile(cred);
                 if (!unconfined(profile))
-                        error = aa_capable(task, profile, cap, audit);
+                        error = aa_capable(current, profile, cap, audit);
         }
         return error;
 }
diff --git a/security/commoncap.c b/security/commoncap.c
index a93b3b733079..89f02ff66af9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -66,7 +66,6 @@ EXPORT_SYMBOL(cap_netlink_recv);
 
 /**
  * cap_capable - Determine whether a task has a particular effective capability
- * @tsk: The task to query
  * @cred: The credentials to use
  * @ns:  The user namespace in which we need the capability
  * @cap: The capability to check for
@@ -80,8 +79,8 @@ EXPORT_SYMBOL(cap_netlink_recv);
  * cap_has_capability() returns 0 when a task has a capability, but the
  * kernel's capable() and has_capability() returns 1 for this case.
  */
-int cap_capable(struct task_struct *tsk, const struct cred *cred,
-                struct user_namespace *targ_ns, int cap, int audit)
+int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
+                int cap, int audit)
 {
         for (;;) {
                 /* The creator of the user namespace has all caps. */
@@ -222,9 +221,8 @@ static inline int cap_inh_is_capped(void)
         /* they are so limited unless the current task has the CAP_SETPCAP
          * capability
          */
-        if (cap_capable(current, current_cred(),
-                        current_cred()->user->user_ns, CAP_SETPCAP,
-                        SECURITY_CAP_AUDIT) == 0)
+        if (cap_capable(current_cred(), current_cred()->user->user_ns,
+                        CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
                 return 0;
         return 1;
 }
@@ -870,7 +868,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                      & (new->securebits ^ arg2))                        /*[1]*/
                     || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))   /*[2]*/
                     || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))   /*[3]*/
-                    || (cap_capable(current, current_cred(),
+                    || (cap_capable(current_cred(),
                                     current_cred()->user->user_ns, CAP_SETPCAP,
                                     SECURITY_CAP_AUDIT) != 0)           /*[4]*/
                         /*
@@ -936,7 +934,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
 {
         int cap_sys_admin = 0;
 
-        if (cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_ADMIN,
+        if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
                         SECURITY_CAP_NOAUDIT) == 0)
                 cap_sys_admin = 1;
         return __vm_enough_memory(mm, pages, cap_sys_admin);
@@ -963,7 +961,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
         int ret = 0;
 
         if (addr < dac_mmap_min_addr) {
-                ret = cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_RAWIO,
+                ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
                                   SECURITY_CAP_AUDIT);
                 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
                 if (ret == 0)
diff --git a/security/security.c b/security/security.c
index d9e153390926..9ae68c64455e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -157,8 +157,7 @@ int security_capset(struct cred *new, const struct cred *old,
 int security_capable(struct user_namespace *ns, const struct cred *cred,
                      int cap)
 {
-        return security_ops->capable(current, cred, ns, cap,
-                                     SECURITY_CAP_AUDIT);
+        return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
 }
 
 int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
@@ -168,7 +167,7 @@ int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
         int ret;
 
         cred = get_task_cred(tsk);
-        ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_AUDIT);
+        ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
         put_cred(cred);
         return ret;
 }
@@ -180,7 +179,7 @@ int security_real_capable_noaudit(struct task_struct *tsk,
         int ret;
 
         cred = get_task_cred(tsk);
-        ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_NOAUDIT);
+        ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
         put_cred(cred);
         return ret;
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e545b9f67072..c9605c4a2e08 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1414,8 +1414,7 @@ static int current_has_perm(const struct task_struct *tsk,
 #endif
 
 /* Check whether a task is allowed to use a capability. */
-static int task_has_capability(struct task_struct *tsk,
-                               const struct cred *cred,
+static int cred_has_capability(const struct cred *cred,
                                int cap, int audit)
 {
         struct common_audit_data ad;
@@ -1426,7 +1425,7 @@ static int task_has_capability(struct task_struct *tsk,
         int rc;
 
         COMMON_AUDIT_DATA_INIT(&ad, CAP);
-        ad.tsk = tsk;
+        ad.tsk = current;
         ad.u.cap = cap;
 
         switch (CAP_TO_INDEX(cap)) {
@@ -1867,16 +1866,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
  */
 
-static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
-                           struct user_namespace *ns, int cap, int audit)
+static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
+                           int cap, int audit)
 {
         int rc;
 
-        rc = cap_capable(tsk, cred, ns, cap, audit);
+        rc = cap_capable(cred, ns, cap, audit);
         if (rc)
                 return rc;
 
-        return task_has_capability(tsk, cred, cap, audit);
+        return cred_has_capability(cred, cap, audit);
 }
 
 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
@@ -1953,8 +1952,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
         int rc, cap_sys_admin = 0;
 
-        rc = selinux_capable(current, current_cred(),
-                             &init_user_ns, CAP_SYS_ADMIN,
+        rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
                              SECURITY_CAP_NOAUDIT);
         if (rc == 0)
                 cap_sys_admin = 1;
@@ -2858,8 +2856,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
          * and lack of permission just means that we fall back to the
          * in-core context value, not a denial.
          */
-        error = selinux_capable(current, current_cred(),
-                                &init_user_ns, CAP_MAC_ADMIN,
+        error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
                                 SECURITY_CAP_NOAUDIT);
         if (!error)
                 error = security_sid_to_context_force(isec->sid, &context,
@@ -2992,8 +2989,8 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
 
         case KDSKBENT:
         case KDSKBSENT:
-                error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
-                                        SECURITY_CAP_AUDIT);
+                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
+                                            SECURITY_CAP_AUDIT);
                 break;
 
         /* default case assumes that the command will go