diff options
Diffstat (limited to 'include/linux/security.h')
-rw-r--r-- | include/linux/security.h | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index b92b5e453f64..1f2ab6353c00 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -48,7 +48,8 @@ struct audit_krule; | |||
48 | * These functions are in security/capability.c and are used | 48 | * These functions are in security/capability.c and are used |
49 | * as the default capabilities functions | 49 | * as the default capabilities functions |
50 | */ | 50 | */ |
51 | extern int cap_capable(struct task_struct *tsk, int cap, int audit); | 51 | extern int cap_capable(struct task_struct *tsk, const struct cred *cred, |
52 | int cap, int audit); | ||
52 | extern int cap_settime(struct timespec *ts, struct timezone *tz); | 53 | extern int cap_settime(struct timespec *ts, struct timezone *tz); |
53 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); | 54 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); |
54 | extern int cap_ptrace_traceme(struct task_struct *parent); | 55 | extern int cap_ptrace_traceme(struct task_struct *parent); |
@@ -1251,9 +1252,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
1251 | * @permitted contains the permitted capability set. | 1252 | * @permitted contains the permitted capability set. |
1252 | * Return 0 and update @new if permission is granted. | 1253 | * Return 0 and update @new if permission is granted. |
1253 | * @capable: | 1254 | * @capable: |
1254 | * Check whether the @tsk process has the @cap capability. | 1255 | * Check whether the @tsk process has the @cap capability in the indicated |
1256 | * credentials. | ||
1255 | * @tsk contains the task_struct for the process. | 1257 | * @tsk contains the task_struct for the process. |
1258 | * @cred contains the credentials to use. | ||
1256 | * @cap contains the capability <include/linux/capability.h>. | 1259 | * @cap contains the capability <include/linux/capability.h>. |
1260 | * @audit: Whether to write an audit message or not | ||
1257 | * Return 0 if the capability is granted for @tsk. | 1261 | * Return 0 if the capability is granted for @tsk. |
1258 | * @acct: | 1262 | * @acct: |
1259 | * Check permission before enabling or disabling process accounting. If | 1263 | * Check permission before enabling or disabling process accounting. If |
@@ -1346,7 +1350,8 @@ struct security_operations { | |||
1346 | const kernel_cap_t *effective, | 1350 | const kernel_cap_t *effective, |
1347 | const kernel_cap_t *inheritable, | 1351 | const kernel_cap_t *inheritable, |
1348 | const kernel_cap_t *permitted); | 1352 | const kernel_cap_t *permitted); |
1349 | int (*capable) (struct task_struct *tsk, int cap, int audit); | 1353 | int (*capable) (struct task_struct *tsk, const struct cred *cred, |
1354 | int cap, int audit); | ||
1350 | int (*acct) (struct file *file); | 1355 | int (*acct) (struct file *file); |
1351 | int (*sysctl) (struct ctl_table *table, int op); | 1356 | int (*sysctl) (struct ctl_table *table, int op); |
1352 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); | 1357 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); |
@@ -1628,8 +1633,9 @@ int security_capset(struct cred *new, const struct cred *old, | |||
1628 | const kernel_cap_t *effective, | 1633 | const kernel_cap_t *effective, |
1629 | const kernel_cap_t *inheritable, | 1634 | const kernel_cap_t *inheritable, |
1630 | const kernel_cap_t *permitted); | 1635 | const kernel_cap_t *permitted); |
1631 | int security_capable(struct task_struct *tsk, int cap); | 1636 | int security_capable(int cap); |
1632 | int security_capable_noaudit(struct task_struct *tsk, int cap); | 1637 | int security_real_capable(struct task_struct *tsk, int cap); |
1638 | int security_real_capable_noaudit(struct task_struct *tsk, int cap); | ||
1633 | int security_acct(struct file *file); | 1639 | int security_acct(struct file *file); |
1634 | int security_sysctl(struct ctl_table *table, int op); | 1640 | int security_sysctl(struct ctl_table *table, int op); |
1635 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); | 1641 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); |
@@ -1826,14 +1832,31 @@ static inline int security_capset(struct cred *new, | |||
1826 | return cap_capset(new, old, effective, inheritable, permitted); | 1832 | return cap_capset(new, old, effective, inheritable, permitted); |
1827 | } | 1833 | } |
1828 | 1834 | ||
1829 | static inline int security_capable(struct task_struct *tsk, int cap) | 1835 | static inline int security_capable(int cap) |
1830 | { | 1836 | { |
1831 | return cap_capable(tsk, cap, SECURITY_CAP_AUDIT); | 1837 | return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT); |
1832 | } | 1838 | } |
1833 | 1839 | ||
1834 | static inline int security_capable_noaudit(struct task_struct *tsk, int cap) | 1840 | static inline int security_real_capable(struct task_struct *tsk, int cap) |
1835 | { | 1841 | { |
1836 | return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT); | 1842 | int ret; |
1843 | |||
1844 | rcu_read_lock(); | ||
1845 | ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT); | ||
1846 | rcu_read_unlock(); | ||
1847 | return ret; | ||
1848 | } | ||
1849 | |||
1850 | static inline | ||
1851 | int security_real_capable_noaudit(struct task_struct *tsk, int cap) | ||
1852 | { | ||
1853 | int ret; | ||
1854 | |||
1855 | rcu_read_lock(); | ||
1856 | ret = cap_capable(tsk, __task_cred(tsk), cap, | ||
1857 | SECURITY_CAP_NOAUDIT); | ||
1858 | rcu_read_unlock(); | ||
1859 | return ret; | ||
1837 | } | 1860 | } |
1838 | 1861 | ||
1839 | static inline int security_acct(struct file *file) | 1862 | static inline int security_acct(struct file *file) |