aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/security.h44
-rw-r--r--security/commoncap.c10
-rw-r--r--security/security.c12
-rw-r--r--security/selinux/hooks.c10
4 files changed, 42 insertions, 34 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index d1ce8beddbd7..9f305d4a31a7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,8 +53,12 @@ extern int cap_settime(struct timespec *ts, struct timezone *tz);
53extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); 53extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
54extern int cap_ptrace_traceme(struct task_struct *parent); 54extern int cap_ptrace_traceme(struct task_struct *parent);
55extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 55extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
56extern int cap_capset_check(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 56extern int cap_capset_check(const kernel_cap_t *effective,
57extern void cap_capset_set(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 57 const kernel_cap_t *inheritable,
58 const kernel_cap_t *permitted);
59extern void cap_capset_set(const kernel_cap_t *effective,
60 const kernel_cap_t *inheritable,
61 const kernel_cap_t *permitted);
58extern int cap_bprm_set_security(struct linux_binprm *bprm); 62extern int cap_bprm_set_security(struct linux_binprm *bprm);
59extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); 63extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
60extern int cap_bprm_secureexec(struct linux_binprm *bprm); 64extern int cap_bprm_secureexec(struct linux_binprm *bprm);
@@ -1293,12 +1297,12 @@ struct security_operations {
1293 int (*capget) (struct task_struct *target, 1297 int (*capget) (struct task_struct *target,
1294 kernel_cap_t *effective, 1298 kernel_cap_t *effective,
1295 kernel_cap_t *inheritable, kernel_cap_t *permitted); 1299 kernel_cap_t *inheritable, kernel_cap_t *permitted);
1296 int (*capset_check) (kernel_cap_t *effective, 1300 int (*capset_check) (const kernel_cap_t *effective,
1297 kernel_cap_t *inheritable, 1301 const kernel_cap_t *inheritable,
1298 kernel_cap_t *permitted); 1302 const kernel_cap_t *permitted);
1299 void (*capset_set) (kernel_cap_t *effective, 1303 void (*capset_set) (const kernel_cap_t *effective,
1300 kernel_cap_t *inheritable, 1304 const kernel_cap_t *inheritable,
1301 kernel_cap_t *permitted); 1305 const kernel_cap_t *permitted);
1302 int (*capable) (struct task_struct *tsk, int cap, int audit); 1306 int (*capable) (struct task_struct *tsk, int cap, int audit);
1303 int (*acct) (struct file *file); 1307 int (*acct) (struct file *file);
1304 int (*sysctl) (struct ctl_table *table, int op); 1308 int (*sysctl) (struct ctl_table *table, int op);
@@ -1560,12 +1564,12 @@ int security_capget(struct task_struct *target,
1560 kernel_cap_t *effective, 1564 kernel_cap_t *effective,
1561 kernel_cap_t *inheritable, 1565 kernel_cap_t *inheritable,
1562 kernel_cap_t *permitted); 1566 kernel_cap_t *permitted);
1563int security_capset_check(kernel_cap_t *effective, 1567int security_capset_check(const kernel_cap_t *effective,
1564 kernel_cap_t *inheritable, 1568 const kernel_cap_t *inheritable,
1565 kernel_cap_t *permitted); 1569 const kernel_cap_t *permitted);
1566void security_capset_set(kernel_cap_t *effective, 1570void security_capset_set(const kernel_cap_t *effective,
1567 kernel_cap_t *inheritable, 1571 const kernel_cap_t *inheritable,
1568 kernel_cap_t *permitted); 1572 const kernel_cap_t *permitted);
1569int security_capable(struct task_struct *tsk, int cap); 1573int security_capable(struct task_struct *tsk, int cap);
1570int security_capable_noaudit(struct task_struct *tsk, int cap); 1574int security_capable_noaudit(struct task_struct *tsk, int cap);
1571int security_acct(struct file *file); 1575int security_acct(struct file *file);
@@ -1755,16 +1759,16 @@ static inline int security_capget(struct task_struct *target,
1755 return cap_capget(target, effective, inheritable, permitted); 1759 return cap_capget(target, effective, inheritable, permitted);
1756} 1760}
1757 1761
1758static inline int security_capset_check(kernel_cap_t *effective, 1762static inline int security_capset_check(const kernel_cap_t *effective,
1759 kernel_cap_t *inheritable, 1763 const kernel_cap_t *inheritable,
1760 kernel_cap_t *permitted) 1764 const kernel_cap_t *permitted)
1761{ 1765{
1762 return cap_capset_check(effective, inheritable, permitted); 1766 return cap_capset_check(effective, inheritable, permitted);
1763} 1767}
1764 1768
1765static inline void security_capset_set(kernel_cap_t *effective, 1769static inline void security_capset_set(const kernel_cap_t *effective,
1766 kernel_cap_t *inheritable, 1770 const kernel_cap_t *inheritable,
1767 kernel_cap_t *permitted) 1771 const kernel_cap_t *permitted)
1768{ 1772{
1769 cap_capset_set(effective, inheritable, permitted); 1773 cap_capset_set(effective, inheritable, permitted);
1770} 1774}
diff --git a/security/commoncap.c b/security/commoncap.c
index e3f36ef629fa..fb4e240720d8 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -118,8 +118,9 @@ static inline int cap_limit_ptraced_target(void)
118 118
119#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 119#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
120 120
121int cap_capset_check (kernel_cap_t *effective, 121int cap_capset_check(const kernel_cap_t *effective,
122 kernel_cap_t *inheritable, kernel_cap_t *permitted) 122 const kernel_cap_t *inheritable,
123 const kernel_cap_t *permitted)
123{ 124{
124 if (cap_inh_is_capped() 125 if (cap_inh_is_capped()
125 && !cap_issubset(*inheritable, 126 && !cap_issubset(*inheritable,
@@ -150,8 +151,9 @@ int cap_capset_check (kernel_cap_t *effective,
150 return 0; 151 return 0;
151} 152}
152 153
153void cap_capset_set (kernel_cap_t *effective, 154void cap_capset_set(const kernel_cap_t *effective,
154 kernel_cap_t *inheritable, kernel_cap_t *permitted) 155 const kernel_cap_t *inheritable,
156 const kernel_cap_t *permitted)
155{ 157{
156 current->cap_effective = *effective; 158 current->cap_effective = *effective;
157 current->cap_inheritable = *inheritable; 159 current->cap_inheritable = *inheritable;
diff --git a/security/security.c b/security/security.c
index dca37381e2a7..81c956a12300 100644
--- a/security/security.c
+++ b/security/security.c
@@ -145,16 +145,16 @@ int security_capget(struct task_struct *target,
145 return security_ops->capget(target, effective, inheritable, permitted); 145 return security_ops->capget(target, effective, inheritable, permitted);
146} 146}
147 147
148int security_capset_check(kernel_cap_t *effective, 148int security_capset_check(const kernel_cap_t *effective,
149 kernel_cap_t *inheritable, 149 const kernel_cap_t *inheritable,
150 kernel_cap_t *permitted) 150 const kernel_cap_t *permitted)
151{ 151{
152 return security_ops->capset_check(effective, inheritable, permitted); 152 return security_ops->capset_check(effective, inheritable, permitted);
153} 153}
154 154
155void security_capset_set(kernel_cap_t *effective, 155void security_capset_set(const kernel_cap_t *effective,
156 kernel_cap_t *inheritable, 156 const kernel_cap_t *inheritable,
157 kernel_cap_t *permitted) 157 const kernel_cap_t *permitted)
158{ 158{
159 security_ops->capset_set(effective, inheritable, permitted); 159 security_ops->capset_set(effective, inheritable, permitted);
160} 160}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index df9986940e9c..9f6da154cc82 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1790,8 +1790,9 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1790 return secondary_ops->capget(target, effective, inheritable, permitted); 1790 return secondary_ops->capget(target, effective, inheritable, permitted);
1791} 1791}
1792 1792
1793static int selinux_capset_check(kernel_cap_t *effective, 1793static int selinux_capset_check(const kernel_cap_t *effective,
1794 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1794 const kernel_cap_t *inheritable,
1795 const kernel_cap_t *permitted)
1795{ 1796{
1796 int error; 1797 int error;
1797 1798
@@ -1802,8 +1803,9 @@ static int selinux_capset_check(kernel_cap_t *effective,
1802 return task_has_perm(current, current, PROCESS__SETCAP); 1803 return task_has_perm(current, current, PROCESS__SETCAP);
1803} 1804}
1804 1805
1805static void selinux_capset_set(kernel_cap_t *effective, 1806static void selinux_capset_set(const kernel_cap_t *effective,
1806 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1807 const kernel_cap_t *inheritable,
1808 const kernel_cap_t *permitted)
1807{ 1809{
1808 secondary_ops->capset_set(effective, inheritable, permitted); 1810 secondary_ops->capset_set(effective, inheritable, permitted);
1809} 1811}