1 files changed, 169 insertions, 9 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 3416cb85e77b..1f2ab6353c00 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -48,7 +48,8 @@ struct audit_krule;
 * These functions are in security/capability.c and are used
 * as the default capabilities functions
 */
-extern int cap_capable(struct task_struct *tsk, int cap, int audit);
+extern int cap_capable(struct task_struct *tsk, const struct cred *cred,
+                       int cap, int audit);
 extern int cap_settime(struct timespec *ts, struct timezone *tz);
 extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
 extern int cap_ptrace_traceme(struct task_struct *parent);
@@ -335,17 +336,37 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @dir contains the inode structure of the parent directory of the new link.
 *      @new_dentry contains the dentry structure for the new link.
 *      Return 0 if permission is granted.
+ * @path_link:
+ *      Check permission before creating a new hard link to a file.
+ *      @old_dentry contains the dentry structure for an existing link
+ *      to the file.
+ *      @new_dir contains the path structure of the parent directory of
+ *      the new link.
+ *      @new_dentry contains the dentry structure for the new link.
+ *      Return 0 if permission is granted.
 * @inode_unlink:
 *      Check the permission to remove a hard link to a file.
 *      @dir contains the inode structure of parent directory of the file.
 *      @dentry contains the dentry structure for file to be unlinked.
 *      Return 0 if permission is granted.
+ * @path_unlink:
+ *      Check the permission to remove a hard link to a file.
+ *      @dir contains the path structure of parent directory of the file.
+ *      @dentry contains the dentry structure for file to be unlinked.
+ *      Return 0 if permission is granted.
 * @inode_symlink:
 *      Check the permission to create a symbolic link to a file.
 *      @dir contains the inode structure of parent directory of the symbolic link.
 *      @dentry contains the dentry structure of the symbolic link.
 *      @old_name contains the pathname of file.
 *      Return 0 if permission is granted.
+ * @path_symlink:
+ *      Check the permission to create a symbolic link to a file.
+ *      @dir contains the path structure of parent directory of
+ *      the symbolic link.
+ *      @dentry contains the dentry structure of the symbolic link.
+ *      @old_name contains the pathname of file.
+ *      Return 0 if permission is granted.
 * @inode_mkdir:
 *      Check permissions to create a new directory in the existing directory
 *      associated with inode strcture @dir.
@@ -353,11 +374,25 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @dentry contains the dentry structure of new directory.
 *      @mode contains the mode of new directory.
 *      Return 0 if permission is granted.
+ * @path_mkdir:
+ *      Check permissions to create a new directory in the existing directory
+ *      associated with path strcture @path.
+ *      @dir containst the path structure of parent of the directory
+ *      to be created.
+ *      @dentry contains the dentry structure of new directory.
+ *      @mode contains the mode of new directory.
+ *      Return 0 if permission is granted.
 * @inode_rmdir:
 *      Check the permission to remove a directory.
 *      @dir contains the inode structure of parent of the directory to be removed.
 *      @dentry contains the dentry structure of directory to be removed.
 *      Return 0 if permission is granted.
+ * @path_rmdir:
+ *      Check the permission to remove a directory.
+ *      @dir contains the path structure of parent of the directory to be
+ *      removed.
+ *      @dentry contains the dentry structure of directory to be removed.
+ *      Return 0 if permission is granted.
 * @inode_mknod:
 *      Check permissions when creating a special file (or a socket or a fifo
 *      file created via the mknod system call).  Note that if mknod operation
@@ -368,6 +403,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @mode contains the mode of the new file.
 *      @dev contains the device number.
 *      Return 0 if permission is granted.
+ * @path_mknod:
+ *      Check permissions when creating a file. Note that this hook is called
+ *      even if mknod operation is being done for a regular file.
+ *      @dir contains the path structure of parent of the new file.
+ *      @dentry contains the dentry structure of the new file.
+ *      @mode contains the mode of the new file.
+ *      @dev contains the undecoded device number. Use new_decode_dev() to get
+ *      the decoded device number.
+ *      Return 0 if permission is granted.
 * @inode_rename:
 *      Check for permission to rename a file or directory.
 *      @old_dir contains the inode structure for parent of the old link.
@@ -375,6 +419,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @new_dir contains the inode structure for parent of the new link.
 *      @new_dentry contains the dentry structure of the new link.
 *      Return 0 if permission is granted.
+ * @path_rename:
+ *      Check for permission to rename a file or directory.
+ *      @old_dir contains the path structure for parent of the old link.
+ *      @old_dentry contains the dentry structure of the old link.
+ *      @new_dir contains the path structure for parent of the new link.
+ *      @new_dentry contains the dentry structure of the new link.
+ *      Return 0 if permission is granted.
 * @inode_readlink:
 *      Check the permission to read the symbolic link.
 *      @dentry contains the dentry structure for the file link.
@@ -403,6 +454,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @dentry contains the dentry structure for the file.
 *      @attr is the iattr structure containing the new file attributes.
 *      Return 0 if permission is granted.
+ * @path_truncate:
+ *      Check permission before truncating a file.
+ *      @path contains the path structure for the file.
+ *      @length is the new length of the file.
+ *      @time_attrs is the flags passed to do_truncate().
+ *      Return 0 if permission is granted.
 * @inode_getattr:
 *      Check permission before obtaining file attributes.
 *      @mnt is the vfsmount where the dentry was looked up
@@ -1195,9 +1252,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @permitted contains the permitted capability set.
 *      Return 0 and update @new if permission is granted.
 * @capable:
- *      Check whether the @tsk process has the @cap capability.
+ *      Check whether the @tsk process has the @cap capability in the indicated
+ *      credentials.
 *      @tsk contains the task_struct for the process.
+ *      @cred contains the credentials to use.
 *      @cap contains the capability <include/linux/capability.h>.
+ *      @audit: Whether to write an audit message or not
 *      Return 0 if the capability is granted for @tsk.
 * @acct:
 *      Check permission before enabling or disabling process accounting.  If
@@ -1290,7 +1350,8 @@ struct security_operations {
                       const kernel_cap_t *effective,
                       const kernel_cap_t *inheritable,
                       const kernel_cap_t *permitted);
-        int (*capable) (struct task_struct *tsk, int cap, int audit);
+        int (*capable) (struct task_struct *tsk, const struct cred *cred,
+                        int cap, int audit);
        int (*acct) (struct file *file);
        int (*sysctl) (struct ctl_table *table, int op);
        int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
@@ -1331,6 +1392,22 @@ struct security_operations {
                                   struct super_block *newsb);
        int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
+#ifdef CONFIG_SECURITY_PATH
+        int (*path_unlink) (struct path *dir, struct dentry *dentry);
+        int (*path_mkdir) (struct path *dir, struct dentry *dentry, int mode);
+        int (*path_rmdir) (struct path *dir, struct dentry *dentry);
+        int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode,
+                           unsigned int dev);
+        int (*path_truncate) (struct path *path, loff_t length,
+                              unsigned int time_attrs);
+        int (*path_symlink) (struct path *dir, struct dentry *dentry,
+                             const char *old_name);
+        int (*path_link) (struct dentry *old_dentry, struct path *new_dir,
+                          struct dentry *new_dentry);
+        int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
+                            struct path *new_dir, struct dentry *new_dentry);
+#endif
        int (*inode_alloc_security) (struct inode *inode);
        void (*inode_free_security) (struct inode *inode);
        int (*inode_init_security) (struct inode *inode, struct inode *dir,
@@ -1556,8 +1633,9 @@ int security_capset(struct cred *new, const struct cred *old,
                    const kernel_cap_t *effective,
                    const kernel_cap_t *inheritable,
                    const kernel_cap_t *permitted);
-int security_capable(struct task_struct *tsk, int cap);
+int security_capable(int cap);
-int security_capable_noaudit(struct task_struct *tsk, int cap);
+int security_real_capable(struct task_struct *tsk, int cap);
+int security_real_capable_noaudit(struct task_struct *tsk, int cap);
 int security_acct(struct file *file);
 int security_sysctl(struct ctl_table *table, int op);
 int security_quotactl(int cmds, int type, int id, struct super_block *sb);
@@ -1754,14 +1832,31 @@ static inline int security_capset(struct cred *new,
        return cap_capset(new, old, effective, inheritable, permitted);
 }
-static inline int security_capable(struct task_struct *tsk, int cap)
+static inline int security_capable(int cap)
+{
+        return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
+}
+static inline int security_real_capable(struct task_struct *tsk, int cap)
 {
-        return cap_capable(tsk, cap, SECURITY_CAP_AUDIT);
+        int ret;
+        rcu_read_lock();
+        ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
+        rcu_read_unlock();
+        return ret;
 }
-static inline int security_capable_noaudit(struct task_struct *tsk, int cap)
+static inline
+int security_real_capable_noaudit(struct task_struct *tsk, int cap)
 {
-        return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT);
+        int ret;
+        rcu_read_lock();
+        ret = cap_capable(tsk, __task_cred(tsk), cap,
+                               SECURITY_CAP_NOAUDIT);
+        rcu_read_unlock();
+        return ret;
 }
 static inline int security_acct(struct file *file)
@@ -2705,6 +2800,71 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
 #endif  /* CONFIG_SECURITY_NETWORK_XFRM */
+#ifdef CONFIG_SECURITY_PATH
+int security_path_unlink(struct path *dir, struct dentry *dentry);
+int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode);
+int security_path_rmdir(struct path *dir, struct dentry *dentry);
+int security_path_mknod(struct path *dir, struct dentry *dentry, int mode,
+                        unsigned int dev);
+int security_path_truncate(struct path *path, loff_t length,
+                           unsigned int time_attrs);
+int security_path_symlink(struct path *dir, struct dentry *dentry,
+                          const char *old_name);
+int security_path_link(struct dentry *old_dentry, struct path *new_dir,
+                       struct dentry *new_dentry);
+int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
+                         struct path *new_dir, struct dentry *new_dentry);
+#else   /* CONFIG_SECURITY_PATH */
+static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
+{
+        return 0;
+}
+static inline int security_path_mkdir(struct path *dir, struct dentry *dentry,
+                                      int mode)
+{
+        return 0;
+}
+static inline int security_path_rmdir(struct path *dir, struct dentry *dentry)
+{
+        return 0;
+}
+static inline int security_path_mknod(struct path *dir, struct dentry *dentry,
+                                      int mode, unsigned int dev)
+{
+        return 0;
+}
+static inline int security_path_truncate(struct path *path, loff_t length,
+                                         unsigned int time_attrs)
+{
+        return 0;
+}
+static inline int security_path_symlink(struct path *dir, struct dentry *dentry,
+                                        const char *old_name)
+{
+        return 0;
+}
+static inline int security_path_link(struct dentry *old_dentry,
+                                     struct path *new_dir,
+                                     struct dentry *new_dentry)
+{
+        return 0;
+}
+static inline int security_path_rename(struct path *old_dir,
+                                       struct dentry *old_dentry,
+                                       struct path *new_dir,
+                                       struct dentry *new_dentry)
+{
+        return 0;
+}
+#endif  /* CONFIG_SECURITY_PATH */
 #ifdef CONFIG_KEYS
 #ifdef CONFIG_SECURITY

diff --git a/include/linux/security.h b/include/linux/security.h index 3416cb85e77b..1f2ab6353c00 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -48,7 +48,8 @@ struct audit_krule;
48	* These functions are in security/capability.c and are used	48	* These functions are in security/capability.c and are used
49	* as the default capabilities functions	49	* as the default capabilities functions
50	*/	50	*/
51	extern int cap_capable(struct task_struct *tsk, int cap, int audit);	51	extern int cap_capable(struct task_struct tsk, const struct cred cred,
		52	int cap, int audit);
52	extern int cap_settime(struct timespec ts, struct timezone tz);	53	extern int cap_settime(struct timespec ts, struct timezone tz);
53	extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);	54	extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
54	extern int cap_ptrace_traceme(struct task_struct *parent);	55	extern int cap_ptrace_traceme(struct task_struct *parent);
@@ -335,17 +336,37 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
335	* @dir contains the inode structure of the parent directory of the new link.	336	* @dir contains the inode structure of the parent directory of the new link.
336	* @new_dentry contains the dentry structure for the new link.	337	* @new_dentry contains the dentry structure for the new link.
337	* Return 0 if permission is granted.	338	* Return 0 if permission is granted.
		339	* @path_link:
		340	* Check permission before creating a new hard link to a file.
		341	* @old_dentry contains the dentry structure for an existing link
		342	* to the file.
		343	* @new_dir contains the path structure of the parent directory of
		344	* the new link.
		345	* @new_dentry contains the dentry structure for the new link.
		346	* Return 0 if permission is granted.
338	* @inode_unlink:	347	* @inode_unlink:
339	* Check the permission to remove a hard link to a file.	348	* Check the permission to remove a hard link to a file.
340	* @dir contains the inode structure of parent directory of the file.	349	* @dir contains the inode structure of parent directory of the file.
341	* @dentry contains the dentry structure for file to be unlinked.	350	* @dentry contains the dentry structure for file to be unlinked.
342	* Return 0 if permission is granted.	351	* Return 0 if permission is granted.
		352	* @path_unlink:
		353	* Check the permission to remove a hard link to a file.
		354	* @dir contains the path structure of parent directory of the file.
		355	* @dentry contains the dentry structure for file to be unlinked.
		356	* Return 0 if permission is granted.
343	* @inode_symlink:	357	* @inode_symlink:
344	* Check the permission to create a symbolic link to a file.	358	* Check the permission to create a symbolic link to a file.
345	* @dir contains the inode structure of parent directory of the symbolic link.	359	* @dir contains the inode structure of parent directory of the symbolic link.
346	* @dentry contains the dentry structure of the symbolic link.	360	* @dentry contains the dentry structure of the symbolic link.
347	* @old_name contains the pathname of file.	361	* @old_name contains the pathname of file.
348	* Return 0 if permission is granted.	362	* Return 0 if permission is granted.
		363	* @path_symlink:
		364	* Check the permission to create a symbolic link to a file.
		365	* @dir contains the path structure of parent directory of
		366	* the symbolic link.
		367	* @dentry contains the dentry structure of the symbolic link.
		368	* @old_name contains the pathname of file.
		369	* Return 0 if permission is granted.
349	* @inode_mkdir:	370	* @inode_mkdir:
350	* Check permissions to create a new directory in the existing directory	371	* Check permissions to create a new directory in the existing directory
351	* associated with inode strcture @dir.	372	* associated with inode strcture @dir.
@@ -353,11 +374,25 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
353	* @dentry contains the dentry structure of new directory.	374	* @dentry contains the dentry structure of new directory.
354	* @mode contains the mode of new directory.	375	* @mode contains the mode of new directory.
355	* Return 0 if permission is granted.	376	* Return 0 if permission is granted.
		377	* @path_mkdir:
		378	* Check permissions to create a new directory in the existing directory
		379	* associated with path strcture @path.
		380	* @dir containst the path structure of parent of the directory
		381	* to be created.
		382	* @dentry contains the dentry structure of new directory.
		383	* @mode contains the mode of new directory.
		384	* Return 0 if permission is granted.
356	* @inode_rmdir:	385	* @inode_rmdir:
357	* Check the permission to remove a directory.	386	* Check the permission to remove a directory.
358	* @dir contains the inode structure of parent of the directory to be removed.	387	* @dir contains the inode structure of parent of the directory to be removed.
359	* @dentry contains the dentry structure of directory to be removed.	388	* @dentry contains the dentry structure of directory to be removed.
360	* Return 0 if permission is granted.	389	* Return 0 if permission is granted.
		390	* @path_rmdir:
		391	* Check the permission to remove a directory.
		392	* @dir contains the path structure of parent of the directory to be
		393	* removed.
		394	* @dentry contains the dentry structure of directory to be removed.
		395	* Return 0 if permission is granted.
361	* @inode_mknod:	396	* @inode_mknod:
362	* Check permissions when creating a special file (or a socket or a fifo	397	* Check permissions when creating a special file (or a socket or a fifo
363	* file created via the mknod system call). Note that if mknod operation	398	* file created via the mknod system call). Note that if mknod operation
@@ -368,6 +403,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
368	* @mode contains the mode of the new file.	403	* @mode contains the mode of the new file.
369	* @dev contains the device number.	404	* @dev contains the device number.
370	* Return 0 if permission is granted.	405	* Return 0 if permission is granted.
		406	* @path_mknod:
		407	* Check permissions when creating a file. Note that this hook is called
		408	* even if mknod operation is being done for a regular file.
		409	* @dir contains the path structure of parent of the new file.
		410	* @dentry contains the dentry structure of the new file.
		411	* @mode contains the mode of the new file.
		412	* @dev contains the undecoded device number. Use new_decode_dev() to get
		413	* the decoded device number.
		414	* Return 0 if permission is granted.
371	* @inode_rename:	415	* @inode_rename:
372	* Check for permission to rename a file or directory.	416	* Check for permission to rename a file or directory.
373	* @old_dir contains the inode structure for parent of the old link.	417	* @old_dir contains the inode structure for parent of the old link.
@@ -375,6 +419,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
375	* @new_dir contains the inode structure for parent of the new link.	419	* @new_dir contains the inode structure for parent of the new link.
376	* @new_dentry contains the dentry structure of the new link.	420	* @new_dentry contains the dentry structure of the new link.
377	* Return 0 if permission is granted.	421	* Return 0 if permission is granted.
		422	* @path_rename:
		423	* Check for permission to rename a file or directory.
		424	* @old_dir contains the path structure for parent of the old link.
		425	* @old_dentry contains the dentry structure of the old link.
		426	* @new_dir contains the path structure for parent of the new link.
		427	* @new_dentry contains the dentry structure of the new link.
		428	* Return 0 if permission is granted.
378	* @inode_readlink:	429	* @inode_readlink:
379	* Check the permission to read the symbolic link.	430	* Check the permission to read the symbolic link.
380	* @dentry contains the dentry structure for the file link.	431	* @dentry contains the dentry structure for the file link.
@@ -403,6 +454,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
403	* @dentry contains the dentry structure for the file.	454	* @dentry contains the dentry structure for the file.
404	* @attr is the iattr structure containing the new file attributes.	455	* @attr is the iattr structure containing the new file attributes.
405	* Return 0 if permission is granted.	456	* Return 0 if permission is granted.
		457	* @path_truncate:
		458	* Check permission before truncating a file.
		459	* @path contains the path structure for the file.
		460	* @length is the new length of the file.
		461	* @time_attrs is the flags passed to do_truncate().
		462	* Return 0 if permission is granted.
406	* @inode_getattr:	463	* @inode_getattr:
407	* Check permission before obtaining file attributes.	464	* Check permission before obtaining file attributes.
408	* @mnt is the vfsmount where the dentry was looked up	465	* @mnt is the vfsmount where the dentry was looked up
@@ -1195,9 +1252,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1195	* @permitted contains the permitted capability set.	1252	* @permitted contains the permitted capability set.
1196	* Return 0 and update @new if permission is granted.	1253	* Return 0 and update @new if permission is granted.
1197	* @capable:	1254	* @capable:
1198	* Check whether the @tsk process has the @cap capability.	1255	* Check whether the @tsk process has the @cap capability in the indicated
		1256	* credentials.
1199	* @tsk contains the task_struct for the process.	1257	* @tsk contains the task_struct for the process.
		1258	* @cred contains the credentials to use.
1200	* @cap contains the capability <include/linux/capability.h>.	1259	* @cap contains the capability <include/linux/capability.h>.
		1260	* @audit: Whether to write an audit message or not
1201	* Return 0 if the capability is granted for @tsk.	1261	* Return 0 if the capability is granted for @tsk.
1202	* @acct:	1262	* @acct:
1203	* Check permission before enabling or disabling process accounting. If	1263	* Check permission before enabling or disabling process accounting. If
@@ -1290,7 +1350,8 @@ struct security_operations {
1290	const kernel_cap_t *effective,	1350	const kernel_cap_t *effective,
1291	const kernel_cap_t *inheritable,	1351	const kernel_cap_t *inheritable,
1292	const kernel_cap_t *permitted);	1352	const kernel_cap_t *permitted);
1293	int (capable) (struct task_struct tsk, int cap, int audit);	1353	int (capable) (struct task_struct tsk, const struct cred *cred,
		1354	int cap, int audit);
1294	int (acct) (struct file file);	1355	int (acct) (struct file file);
1295	int (sysctl) (struct ctl_table table, int op);	1356	int (sysctl) (struct ctl_table table, int op);
1296	int (quotactl) (int cmds, int type, int id, struct super_block sb);	1357	int (quotactl) (int cmds, int type, int id, struct super_block sb);
@@ -1331,6 +1392,22 @@ struct security_operations {
1331	struct super_block *newsb);	1392	struct super_block *newsb);
1332	int (sb_parse_opts_str) (char options, struct security_mnt_opts *opts);	1393	int (sb_parse_opts_str) (char options, struct security_mnt_opts *opts);
1333		1394
		1395	#ifdef CONFIG_SECURITY_PATH
		1396	int (path_unlink) (struct path dir, struct dentry *dentry);
		1397	int (path_mkdir) (struct path dir, struct dentry *dentry, int mode);
		1398	int (path_rmdir) (struct path dir, struct dentry *dentry);
		1399	int (path_mknod) (struct path dir, struct dentry *dentry, int mode,
		1400	unsigned int dev);
		1401	int (path_truncate) (struct path path, loff_t length,
		1402	unsigned int time_attrs);
		1403	int (path_symlink) (struct path dir, struct dentry *dentry,
		1404	const char *old_name);
		1405	int (path_link) (struct dentry old_dentry, struct path *new_dir,
		1406	struct dentry *new_dentry);
		1407	int (path_rename) (struct path old_dir, struct dentry *old_dentry,
		1408	struct path new_dir, struct dentry new_dentry);
		1409	#endif
		1410
1334	int (inode_alloc_security) (struct inode inode);	1411	int (inode_alloc_security) (struct inode inode);
1335	void (inode_free_security) (struct inode inode);	1412	void (inode_free_security) (struct inode inode);
1336	int (inode_init_security) (struct inode inode, struct inode *dir,	1413	int (inode_init_security) (struct inode inode, struct inode *dir,
@@ -1556,8 +1633,9 @@ int security_capset(struct cred new, const struct cred old,
1556	const kernel_cap_t *effective,	1633	const kernel_cap_t *effective,
1557	const kernel_cap_t *inheritable,	1634	const kernel_cap_t *inheritable,
1558	const kernel_cap_t *permitted);	1635	const kernel_cap_t *permitted);
1559	int security_capable(struct task_struct *tsk, int cap);	1636	int security_capable(int cap);
1560	int security_capable_noaudit(struct task_struct *tsk, int cap);	1637	int security_real_capable(struct task_struct *tsk, int cap);
		1638	int security_real_capable_noaudit(struct task_struct *tsk, int cap);
1561	int security_acct(struct file *file);	1639	int security_acct(struct file *file);
1562	int security_sysctl(struct ctl_table *table, int op);	1640	int security_sysctl(struct ctl_table *table, int op);
1563	int security_quotactl(int cmds, int type, int id, struct super_block *sb);	1641	int security_quotactl(int cmds, int type, int id, struct super_block *sb);
@@ -1754,14 +1832,31 @@ static inline int security_capset(struct cred *new,
1754	return cap_capset(new, old, effective, inheritable, permitted);	1832	return cap_capset(new, old, effective, inheritable, permitted);
1755	}	1833	}
1756		1834
1757	static inline int security_capable(struct task_struct *tsk, int cap)	1835	static inline int security_capable(int cap)
		1836	{
		1837	return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
		1838	}
		1839
		1840	static inline int security_real_capable(struct task_struct *tsk, int cap)
1758	{	1841	{
1759	return cap_capable(tsk, cap, SECURITY_CAP_AUDIT);	1842	int ret;
		1843
		1844	rcu_read_lock();
		1845	ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
		1846	rcu_read_unlock();
		1847	return ret;
1760	}	1848	}
1761		1849
1762	static inline int security_capable_noaudit(struct task_struct *tsk, int cap)	1850	static inline
		1851	int security_real_capable_noaudit(struct task_struct *tsk, int cap)
1763	{	1852	{
1764	return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT);	1853	int ret;
		1854
		1855	rcu_read_lock();
		1856	ret = cap_capable(tsk, __task_cred(tsk), cap,
		1857	SECURITY_CAP_NOAUDIT);
		1858	rcu_read_unlock();
		1859	return ret;
1765	}	1860	}
1766		1861
1767	static inline int security_acct(struct file *file)	1862	static inline int security_acct(struct file *file)
@@ -2705,6 +2800,71 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
2705		2800
2706	#endif /* CONFIG_SECURITY_NETWORK_XFRM */	2801	#endif /* CONFIG_SECURITY_NETWORK_XFRM */
2707		2802
		2803	#ifdef CONFIG_SECURITY_PATH
		2804	int security_path_unlink(struct path dir, struct dentry dentry);
		2805	int security_path_mkdir(struct path dir, struct dentry dentry, int mode);
		2806	int security_path_rmdir(struct path dir, struct dentry dentry);
		2807	int security_path_mknod(struct path dir, struct dentry dentry, int mode,
		2808	unsigned int dev);
		2809	int security_path_truncate(struct path *path, loff_t length,
		2810	unsigned int time_attrs);
		2811	int security_path_symlink(struct path dir, struct dentry dentry,
		2812	const char *old_name);
		2813	int security_path_link(struct dentry old_dentry, struct path new_dir,
		2814	struct dentry *new_dentry);
		2815	int security_path_rename(struct path old_dir, struct dentry old_dentry,
		2816	struct path new_dir, struct dentry new_dentry);
		2817	#else /* CONFIG_SECURITY_PATH */
		2818	static inline int security_path_unlink(struct path dir, struct dentry dentry)
		2819	{
		2820	return 0;
		2821	}
		2822
		2823	static inline int security_path_mkdir(struct path dir, struct dentry dentry,
		2824	int mode)
		2825	{
		2826	return 0;
		2827	}
		2828
		2829	static inline int security_path_rmdir(struct path dir, struct dentry dentry)
		2830	{
		2831	return 0;
		2832	}
		2833
		2834	static inline int security_path_mknod(struct path dir, struct dentry dentry,
		2835	int mode, unsigned int dev)
		2836	{
		2837	return 0;
		2838	}
		2839
		2840	static inline int security_path_truncate(struct path *path, loff_t length,
		2841	unsigned int time_attrs)
		2842	{
		2843	return 0;
		2844	}
		2845
		2846	static inline int security_path_symlink(struct path dir, struct dentry dentry,
		2847	const char *old_name)
		2848	{
		2849	return 0;
		2850	}
		2851
		2852	static inline int security_path_link(struct dentry *old_dentry,
		2853	struct path *new_dir,
		2854	struct dentry *new_dentry)
		2855	{
		2856	return 0;
		2857	}
		2858
		2859	static inline int security_path_rename(struct path *old_dir,
		2860	struct dentry *old_dentry,
		2861	struct path *new_dir,
		2862	struct dentry *new_dentry)
		2863	{
		2864	return 0;
		2865	}
		2866	#endif /* CONFIG_SECURITY_PATH */
		2867
2708	#ifdef CONFIG_KEYS	2868	#ifdef CONFIG_KEYS
2709	#ifdef CONFIG_SECURITY	2869	#ifdef CONFIG_SECURITY
2710		2870