diff options
-rw-r--r-- | include/linux/security.h | 44 | ||||
-rw-r--r-- | security/commoncap.c | 10 | ||||
-rw-r--r-- | security/security.c | 12 | ||||
-rw-r--r-- | security/selinux/hooks.c | 10 |
4 files changed, 42 insertions, 34 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index d1ce8beddbd7..9f305d4a31a7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -53,8 +53,12 @@ extern int cap_settime(struct timespec *ts, struct timezone *tz); | |||
53 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); | 53 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); |
54 | extern int cap_ptrace_traceme(struct task_struct *parent); | 54 | extern int cap_ptrace_traceme(struct task_struct *parent); |
55 | extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); | 55 | extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); |
56 | extern int cap_capset_check(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); | 56 | extern int cap_capset_check(const kernel_cap_t *effective, |
57 | extern void cap_capset_set(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); | 57 | const kernel_cap_t *inheritable, |
58 | const kernel_cap_t *permitted); | ||
59 | extern void cap_capset_set(const kernel_cap_t *effective, | ||
60 | const kernel_cap_t *inheritable, | ||
61 | const kernel_cap_t *permitted); | ||
58 | extern int cap_bprm_set_security(struct linux_binprm *bprm); | 62 | extern int cap_bprm_set_security(struct linux_binprm *bprm); |
59 | extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); | 63 | extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); |
60 | extern int cap_bprm_secureexec(struct linux_binprm *bprm); | 64 | extern int cap_bprm_secureexec(struct linux_binprm *bprm); |
@@ -1293,12 +1297,12 @@ struct security_operations { | |||
1293 | int (*capget) (struct task_struct *target, | 1297 | int (*capget) (struct task_struct *target, |
1294 | kernel_cap_t *effective, | 1298 | kernel_cap_t *effective, |
1295 | kernel_cap_t *inheritable, kernel_cap_t *permitted); | 1299 | kernel_cap_t *inheritable, kernel_cap_t *permitted); |
1296 | int (*capset_check) (kernel_cap_t *effective, | 1300 | int (*capset_check) (const kernel_cap_t *effective, |
1297 | kernel_cap_t *inheritable, | 1301 | const kernel_cap_t *inheritable, |
1298 | kernel_cap_t *permitted); | 1302 | const kernel_cap_t *permitted); |
1299 | void (*capset_set) (kernel_cap_t *effective, | 1303 | void (*capset_set) (const kernel_cap_t *effective, |
1300 | kernel_cap_t *inheritable, | 1304 | const kernel_cap_t *inheritable, |
1301 | kernel_cap_t *permitted); | 1305 | const kernel_cap_t *permitted); |
1302 | int (*capable) (struct task_struct *tsk, int cap, int audit); | 1306 | int (*capable) (struct task_struct *tsk, int cap, int audit); |
1303 | int (*acct) (struct file *file); | 1307 | int (*acct) (struct file *file); |
1304 | int (*sysctl) (struct ctl_table *table, int op); | 1308 | int (*sysctl) (struct ctl_table *table, int op); |
@@ -1560,12 +1564,12 @@ int security_capget(struct task_struct *target, | |||
1560 | kernel_cap_t *effective, | 1564 | kernel_cap_t *effective, |
1561 | kernel_cap_t *inheritable, | 1565 | kernel_cap_t *inheritable, |
1562 | kernel_cap_t *permitted); | 1566 | kernel_cap_t *permitted); |
1563 | int security_capset_check(kernel_cap_t *effective, | 1567 | int security_capset_check(const kernel_cap_t *effective, |
1564 | kernel_cap_t *inheritable, | 1568 | const kernel_cap_t *inheritable, |
1565 | kernel_cap_t *permitted); | 1569 | const kernel_cap_t *permitted); |
1566 | void security_capset_set(kernel_cap_t *effective, | 1570 | void security_capset_set(const kernel_cap_t *effective, |
1567 | kernel_cap_t *inheritable, | 1571 | const kernel_cap_t *inheritable, |
1568 | kernel_cap_t *permitted); | 1572 | const kernel_cap_t *permitted); |
1569 | int security_capable(struct task_struct *tsk, int cap); | 1573 | int security_capable(struct task_struct *tsk, int cap); |
1570 | int security_capable_noaudit(struct task_struct *tsk, int cap); | 1574 | int security_capable_noaudit(struct task_struct *tsk, int cap); |
1571 | int security_acct(struct file *file); | 1575 | int security_acct(struct file *file); |
@@ -1755,16 +1759,16 @@ static inline int security_capget(struct task_struct *target, | |||
1755 | return cap_capget(target, effective, inheritable, permitted); | 1759 | return cap_capget(target, effective, inheritable, permitted); |
1756 | } | 1760 | } |
1757 | 1761 | ||
1758 | static inline int security_capset_check(kernel_cap_t *effective, | 1762 | static inline int security_capset_check(const kernel_cap_t *effective, |
1759 | kernel_cap_t *inheritable, | 1763 | const kernel_cap_t *inheritable, |
1760 | kernel_cap_t *permitted) | 1764 | const kernel_cap_t *permitted) |
1761 | { | 1765 | { |
1762 | return cap_capset_check(effective, inheritable, permitted); | 1766 | return cap_capset_check(effective, inheritable, permitted); |
1763 | } | 1767 | } |
1764 | 1768 | ||
1765 | static inline void security_capset_set(kernel_cap_t *effective, | 1769 | static inline void security_capset_set(const kernel_cap_t *effective, |
1766 | kernel_cap_t *inheritable, | 1770 | const kernel_cap_t *inheritable, |
1767 | kernel_cap_t *permitted) | 1771 | const kernel_cap_t *permitted) |
1768 | { | 1772 | { |
1769 | cap_capset_set(effective, inheritable, permitted); | 1773 | cap_capset_set(effective, inheritable, permitted); |
1770 | } | 1774 | } |
diff --git a/security/commoncap.c b/security/commoncap.c index e3f36ef629fa..fb4e240720d8 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -118,8 +118,9 @@ static inline int cap_limit_ptraced_target(void) | |||
118 | 118 | ||
119 | #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ | 119 | #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ |
120 | 120 | ||
121 | int cap_capset_check (kernel_cap_t *effective, | 121 | int cap_capset_check(const kernel_cap_t *effective, |
122 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 122 | const kernel_cap_t *inheritable, |
123 | const kernel_cap_t *permitted) | ||
123 | { | 124 | { |
124 | if (cap_inh_is_capped() | 125 | if (cap_inh_is_capped() |
125 | && !cap_issubset(*inheritable, | 126 | && !cap_issubset(*inheritable, |
@@ -150,8 +151,9 @@ int cap_capset_check (kernel_cap_t *effective, | |||
150 | return 0; | 151 | return 0; |
151 | } | 152 | } |
152 | 153 | ||
153 | void cap_capset_set (kernel_cap_t *effective, | 154 | void cap_capset_set(const kernel_cap_t *effective, |
154 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 155 | const kernel_cap_t *inheritable, |
156 | const kernel_cap_t *permitted) | ||
155 | { | 157 | { |
156 | current->cap_effective = *effective; | 158 | current->cap_effective = *effective; |
157 | current->cap_inheritable = *inheritable; | 159 | current->cap_inheritable = *inheritable; |
diff --git a/security/security.c b/security/security.c index dca37381e2a7..81c956a12300 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -145,16 +145,16 @@ int security_capget(struct task_struct *target, | |||
145 | return security_ops->capget(target, effective, inheritable, permitted); | 145 | return security_ops->capget(target, effective, inheritable, permitted); |
146 | } | 146 | } |
147 | 147 | ||
148 | int security_capset_check(kernel_cap_t *effective, | 148 | int security_capset_check(const kernel_cap_t *effective, |
149 | kernel_cap_t *inheritable, | 149 | const kernel_cap_t *inheritable, |
150 | kernel_cap_t *permitted) | 150 | const kernel_cap_t *permitted) |
151 | { | 151 | { |
152 | return security_ops->capset_check(effective, inheritable, permitted); | 152 | return security_ops->capset_check(effective, inheritable, permitted); |
153 | } | 153 | } |
154 | 154 | ||
155 | void security_capset_set(kernel_cap_t *effective, | 155 | void security_capset_set(const kernel_cap_t *effective, |
156 | kernel_cap_t *inheritable, | 156 | const kernel_cap_t *inheritable, |
157 | kernel_cap_t *permitted) | 157 | const kernel_cap_t *permitted) |
158 | { | 158 | { |
159 | security_ops->capset_set(effective, inheritable, permitted); | 159 | security_ops->capset_set(effective, inheritable, permitted); |
160 | } | 160 | } |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index df9986940e9c..9f6da154cc82 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1790,8 +1790,9 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, | |||
1790 | return secondary_ops->capget(target, effective, inheritable, permitted); | 1790 | return secondary_ops->capget(target, effective, inheritable, permitted); |
1791 | } | 1791 | } |
1792 | 1792 | ||
1793 | static int selinux_capset_check(kernel_cap_t *effective, | 1793 | static int selinux_capset_check(const kernel_cap_t *effective, |
1794 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 1794 | const kernel_cap_t *inheritable, |
1795 | const kernel_cap_t *permitted) | ||
1795 | { | 1796 | { |
1796 | int error; | 1797 | int error; |
1797 | 1798 | ||
@@ -1802,8 +1803,9 @@ static int selinux_capset_check(kernel_cap_t *effective, | |||
1802 | return task_has_perm(current, current, PROCESS__SETCAP); | 1803 | return task_has_perm(current, current, PROCESS__SETCAP); |
1803 | } | 1804 | } |
1804 | 1805 | ||
1805 | static void selinux_capset_set(kernel_cap_t *effective, | 1806 | static void selinux_capset_set(const kernel_cap_t *effective, |
1806 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 1807 | const kernel_cap_t *inheritable, |
1808 | const kernel_cap_t *permitted) | ||
1807 | { | 1809 | { |
1808 | secondary_ops->capset_set(effective, inheritable, permitted); | 1810 | secondary_ops->capset_set(effective, inheritable, permitted); |
1809 | } | 1811 | } |