1 files changed, 24 insertions, 28 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h
index fb16a3699b99..16ee8b49a200 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -368,6 +368,15 @@ struct cpu_vfs_cap_data {
 #ifdef __KERNEL__
+struct dentry;
+struct user_namespace;
+struct user_namespace *current_user_ns(void);
+extern const kernel_cap_t __cap_empty_set;
+extern const kernel_cap_t __cap_full_set;
+extern const kernel_cap_t __cap_init_eff_set;
 /*
 * Internal kernel functions only
 */
@@ -530,40 +539,27 @@ static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
                           cap_intersect(permitted, __cap_nfsd_set));
 }
-extern const kernel_cap_t __cap_empty_set;
+extern bool has_capability(struct task_struct *t, int cap);
-extern const kernel_cap_t __cap_full_set;
+extern bool has_ns_capability(struct task_struct *t,
-extern const kernel_cap_t __cap_init_eff_set;
+                              struct user_namespace *ns, int cap);
+extern bool has_capability_noaudit(struct task_struct *t, int cap);
-/**
+extern bool capable(int cap);
- * has_capability - Determine if a task has a superior capability available
+extern bool ns_capable(struct user_namespace *ns, int cap);
- * @t: The task in question
+extern bool task_ns_capable(struct task_struct *t, int cap);
- * @cap: The capability to be tested for
- *
- * Return true if the specified task has the given superior capability
- * currently in effect, false if not.
- *
- * Note that this does not set PF_SUPERPRIV on the task.
- */
-#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
 /**
- * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
+ * nsown_capable - Check superior capability to one's own user_ns
- * @t: The task in question
+ * @cap: The capability in question
- * @cap: The capability to be tested for
 *
- * Return true if the specified task has the given superior capability
+ * Return true if the current task has the given superior capability
- * currently in effect, false if not, but don't write an audit message for the
+ * targeted at its own user namespace.
- * check.
- *
- * Note that this does not set PF_SUPERPRIV on the task.
 */
-#define has_capability_noaudit(t, cap) \
+static inline bool nsown_capable(int cap)
-        (security_real_capable_noaudit((t), (cap)) == 0)
+{
+        return ns_capable(current_user_ns(), cap);
-extern int capable(int cap);
+}
 /* audit system wants to get cap info from files as well */
-struct dentry;
 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
 #endif /* __KERNEL__ */

diff --git a/include/linux/capability.h b/include/linux/capability.h index fb16a3699b99..16ee8b49a200 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h
@@ -368,6 +368,15 @@ struct cpu_vfs_cap_data {
368		368
369	#ifdef __KERNEL__	369	#ifdef __KERNEL__
370		370
		371	struct dentry;
		372	struct user_namespace;
		373
		374	struct user_namespace *current_user_ns(void);
		375
		376	extern const kernel_cap_t __cap_empty_set;
		377	extern const kernel_cap_t __cap_full_set;
		378	extern const kernel_cap_t __cap_init_eff_set;
		379
371	/*	380	/*
372	* Internal kernel functions only	381	* Internal kernel functions only
373	*/	382	*/
@@ -530,40 +539,27 @@ static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
530	cap_intersect(permitted, __cap_nfsd_set));	539	cap_intersect(permitted, __cap_nfsd_set));
531	}	540	}
532		541
533	extern const kernel_cap_t __cap_empty_set;	542	extern bool has_capability(struct task_struct *t, int cap);
534	extern const kernel_cap_t __cap_full_set;	543	extern bool has_ns_capability(struct task_struct *t,
535	extern const kernel_cap_t __cap_init_eff_set;	544	struct user_namespace *ns, int cap);
536		545	extern bool has_capability_noaudit(struct task_struct *t, int cap);
537	/**	546	extern bool capable(int cap);
538	* has_capability - Determine if a task has a superior capability available	547	extern bool ns_capable(struct user_namespace *ns, int cap);
539	* @t: The task in question	548	extern bool task_ns_capable(struct task_struct *t, int cap);
540	* @cap: The capability to be tested for
541	*
542	* Return true if the specified task has the given superior capability
543	* currently in effect, false if not.
544	*
545	* Note that this does not set PF_SUPERPRIV on the task.
546	*/
547	#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
548		549
549	/**	550	/**
550	* has_capability_noaudit - Determine if a task has a superior capability available (unaudited)	551	* nsown_capable - Check superior capability to one's own user_ns
551	* @t: The task in question	552	* @cap: The capability in question
552	* @cap: The capability to be tested for
553	*	553	*
554	* Return true if the specified task has the given superior capability	554	* Return true if the current task has the given superior capability
555	* currently in effect, false if not, but don't write an audit message for the	555	* targeted at its own user namespace.
556	* check.
557	*
558	* Note that this does not set PF_SUPERPRIV on the task.
559	*/	556	*/
560	#define has_capability_noaudit(t, cap) \	557	static inline bool nsown_capable(int cap)
561	(security_real_capable_noaudit((t), (cap)) == 0)	558	{
562		559	return ns_capable(current_user_ns(), cap);
563	extern int capable(int cap);	560	}
564		561
565	/* audit system wants to get cap info from files as well */	562	/* audit system wants to get cap info from files as well */
566	struct dentry;
567	extern int get_vfs_caps_from_disk(const struct dentry dentry, struct cpu_vfs_cap_data cpu_caps);	563	extern int get_vfs_caps_from_disk(const struct dentry dentry, struct cpu_vfs_cap_data cpu_caps);
568		564
569	#endif /* __KERNEL__ */	565	#endif /* __KERNEL__ */