aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/capability.h2
-rw-r--r--kernel/capability.c30
2 files changed, 27 insertions, 5 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h
index c42112350003..63f59fa8769d 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -543,6 +543,8 @@ extern bool has_capability(struct task_struct *t, int cap);
543extern bool has_ns_capability(struct task_struct *t, 543extern bool has_ns_capability(struct task_struct *t,
544 struct user_namespace *ns, int cap); 544 struct user_namespace *ns, int cap);
545extern bool has_capability_noaudit(struct task_struct *t, int cap); 545extern bool has_capability_noaudit(struct task_struct *t, int cap);
546extern bool has_ns_capability_noaudit(struct task_struct *t,
547 struct user_namespace *ns, int cap);
546extern bool capable(int cap); 548extern bool capable(int cap);
547extern bool ns_capable(struct user_namespace *ns, int cap); 549extern bool ns_capable(struct user_namespace *ns, int cap);
548extern bool task_ns_capable(struct task_struct *t, int cap); 550extern bool task_ns_capable(struct task_struct *t, int cap);
diff --git a/kernel/capability.c b/kernel/capability.c
index fb815d1b9ea2..d8398e962470 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -325,28 +325,48 @@ bool has_capability(struct task_struct *t, int cap)
325} 325}
326 326
327/** 327/**
328 * has_capability_noaudit - Does a task have a capability (unaudited) 328 * has_ns_capability_noaudit - Does a task have a capability (unaudited)
329 * in a specific user ns.
329 * @t: The task in question 330 * @t: The task in question
331 * @ns: target user namespace
330 * @cap: The capability to be tested for 332 * @cap: The capability to be tested for
331 * 333 *
332 * Return true if the specified task has the given superior capability 334 * Return true if the specified task has the given superior capability
333 * currently in effect to init_user_ns, false if not. Don't write an 335 * currently in effect to the specified user namespace, false if not.
334 * audit message for the check. 336 * Do not write an audit message for the check.
335 * 337 *
336 * Note that this does not set PF_SUPERPRIV on the task. 338 * Note that this does not set PF_SUPERPRIV on the task.
337 */ 339 */
338bool has_capability_noaudit(struct task_struct *t, int cap) 340bool has_ns_capability_noaudit(struct task_struct *t,
341 struct user_namespace *ns, int cap)
339{ 342{
340 int ret; 343 int ret;
341 344
342 rcu_read_lock(); 345 rcu_read_lock();
343 ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap); 346 ret = security_capable_noaudit(__task_cred(t), ns, cap);
344 rcu_read_unlock(); 347 rcu_read_unlock();
345 348
346 return (ret == 0); 349 return (ret == 0);
347} 350}
348 351
349/** 352/**
353 * has_capability_noaudit - Does a task have a capability (unaudited) in the
354 * initial user ns
355 * @t: The task in question
356 * @cap: The capability to be tested for
357 *
358 * Return true if the specified task has the given superior capability
359 * currently in effect to init_user_ns, false if not. Don't write an
360 * audit message for the check.
361 *
362 * Note that this does not set PF_SUPERPRIV on the task.
363 */
364bool has_capability_noaudit(struct task_struct *t, int cap)
365{
366 return has_ns_capability_noaudit(t, &init_user_ns, cap);
367}
368
369/**
350 * capable - Determine if the current task has a superior capability in effect 370 * capable - Determine if the current task has a superior capability in effect
351 * @cap: The capability to be tested for 371 * @cap: The capability to be tested for
352 * 372 *