aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h41
1 files changed, 32 insertions, 9 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index b92b5e453f64..1f2ab6353c00 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -48,7 +48,8 @@ struct audit_krule;
48 * These functions are in security/capability.c and are used 48 * These functions are in security/capability.c and are used
49 * as the default capabilities functions 49 * as the default capabilities functions
50 */ 50 */
51extern int cap_capable(struct task_struct *tsk, int cap, int audit); 51extern int cap_capable(struct task_struct *tsk, const struct cred *cred,
52 int cap, int audit);
52extern int cap_settime(struct timespec *ts, struct timezone *tz); 53extern int cap_settime(struct timespec *ts, struct timezone *tz);
53extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); 54extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
54extern int cap_ptrace_traceme(struct task_struct *parent); 55extern int cap_ptrace_traceme(struct task_struct *parent);
@@ -1251,9 +1252,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1251 * @permitted contains the permitted capability set. 1252 * @permitted contains the permitted capability set.
1252 * Return 0 and update @new if permission is granted. 1253 * Return 0 and update @new if permission is granted.
1253 * @capable: 1254 * @capable:
1254 * Check whether the @tsk process has the @cap capability. 1255 * Check whether the @tsk process has the @cap capability in the indicated
1256 * credentials.
1255 * @tsk contains the task_struct for the process. 1257 * @tsk contains the task_struct for the process.
1258 * @cred contains the credentials to use.
1256 * @cap contains the capability <include/linux/capability.h>. 1259 * @cap contains the capability <include/linux/capability.h>.
1260 * @audit: Whether to write an audit message or not
1257 * Return 0 if the capability is granted for @tsk. 1261 * Return 0 if the capability is granted for @tsk.
1258 * @acct: 1262 * @acct:
1259 * Check permission before enabling or disabling process accounting. If 1263 * Check permission before enabling or disabling process accounting. If
@@ -1346,7 +1350,8 @@ struct security_operations {
1346 const kernel_cap_t *effective, 1350 const kernel_cap_t *effective,
1347 const kernel_cap_t *inheritable, 1351 const kernel_cap_t *inheritable,
1348 const kernel_cap_t *permitted); 1352 const kernel_cap_t *permitted);
1349 int (*capable) (struct task_struct *tsk, int cap, int audit); 1353 int (*capable) (struct task_struct *tsk, const struct cred *cred,
1354 int cap, int audit);
1350 int (*acct) (struct file *file); 1355 int (*acct) (struct file *file);
1351 int (*sysctl) (struct ctl_table *table, int op); 1356 int (*sysctl) (struct ctl_table *table, int op);
1352 int (*quotactl) (int cmds, int type, int id, struct super_block *sb); 1357 int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
@@ -1628,8 +1633,9 @@ int security_capset(struct cred *new, const struct cred *old,
1628 const kernel_cap_t *effective, 1633 const kernel_cap_t *effective,
1629 const kernel_cap_t *inheritable, 1634 const kernel_cap_t *inheritable,
1630 const kernel_cap_t *permitted); 1635 const kernel_cap_t *permitted);
1631int security_capable(struct task_struct *tsk, int cap); 1636int security_capable(int cap);
1632int security_capable_noaudit(struct task_struct *tsk, int cap); 1637int security_real_capable(struct task_struct *tsk, int cap);
1638int security_real_capable_noaudit(struct task_struct *tsk, int cap);
1633int security_acct(struct file *file); 1639int security_acct(struct file *file);
1634int security_sysctl(struct ctl_table *table, int op); 1640int security_sysctl(struct ctl_table *table, int op);
1635int security_quotactl(int cmds, int type, int id, struct super_block *sb); 1641int security_quotactl(int cmds, int type, int id, struct super_block *sb);
@@ -1826,14 +1832,31 @@ static inline int security_capset(struct cred *new,
1826 return cap_capset(new, old, effective, inheritable, permitted); 1832 return cap_capset(new, old, effective, inheritable, permitted);
1827} 1833}
1828 1834
1829static inline int security_capable(struct task_struct *tsk, int cap) 1835static inline int security_capable(int cap)
1830{ 1836{
1831 return cap_capable(tsk, cap, SECURITY_CAP_AUDIT); 1837 return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
1832} 1838}
1833 1839
1834static inline int security_capable_noaudit(struct task_struct *tsk, int cap) 1840static inline int security_real_capable(struct task_struct *tsk, int cap)
1835{ 1841{
1836 return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT); 1842 int ret;
1843
1844 rcu_read_lock();
1845 ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
1846 rcu_read_unlock();
1847 return ret;
1848}
1849
1850static inline
1851int security_real_capable_noaudit(struct task_struct *tsk, int cap)
1852{
1853 int ret;
1854
1855 rcu_read_lock();
1856 ret = cap_capable(tsk, __task_cred(tsk), cap,
1857 SECURITY_CAP_NOAUDIT);
1858 rcu_read_unlock();
1859 return ret;
1837} 1860}
1838 1861
1839static inline int security_acct(struct file *file) 1862static inline int security_acct(struct file *file)