aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'kernel')
-rw-r--r--kernel/fork.c1
-rw-r--r--kernel/sys.c13
-rw-r--r--kernel/sysctl.c35
-rw-r--r--kernel/sysctl_check.c7
4 files changed, 13 insertions, 43 deletions
diff --git a/kernel/fork.c b/kernel/fork.c
index 1160f87ba700..2b55b74cd999 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1118,6 +1118,7 @@ static struct task_struct *copy_process(unsigned long clone_flags,
1118#ifdef CONFIG_SECURITY 1118#ifdef CONFIG_SECURITY
1119 p->security = NULL; 1119 p->security = NULL;
1120#endif 1120#endif
1121 p->cap_bset = current->cap_bset;
1121 p->io_context = NULL; 1122 p->io_context = NULL;
1122 p->audit_context = NULL; 1123 p->audit_context = NULL;
1123 cgroup_fork(p); 1124 cgroup_fork(p);
diff --git a/kernel/sys.c b/kernel/sys.c
index d1fe71eb4546..4162d12390b6 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1637,7 +1637,7 @@ asmlinkage long sys_umask(int mask)
1637 mask = xchg(&current->fs->umask, mask & S_IRWXUGO); 1637 mask = xchg(&current->fs->umask, mask & S_IRWXUGO);
1638 return mask; 1638 return mask;
1639} 1639}
1640 1640
1641asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, 1641asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
1642 unsigned long arg4, unsigned long arg5) 1642 unsigned long arg4, unsigned long arg5)
1643{ 1643{
@@ -1742,6 +1742,17 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
1742 error = prctl_set_seccomp(arg2); 1742 error = prctl_set_seccomp(arg2);
1743 break; 1743 break;
1744 1744
1745 case PR_CAPBSET_READ:
1746 if (!cap_valid(arg2))
1747 return -EINVAL;
1748 return !!cap_raised(current->cap_bset, arg2);
1749 case PR_CAPBSET_DROP:
1750#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
1751 return cap_prctl_drop(arg2);
1752#else
1753 return -EINVAL;
1754#endif
1755
1745 default: 1756 default:
1746 error = -EINVAL; 1757 error = -EINVAL;
1747 break; 1758 break;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index d0b47b859067..5e2ad5bf88e2 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -419,15 +419,6 @@ static struct ctl_table kern_table[] = {
419 .proc_handler = &proc_dointvec, 419 .proc_handler = &proc_dointvec,
420 }, 420 },
421#endif 421#endif
422#ifdef CONFIG_SECURITY_CAPABILITIES
423 {
424 .procname = "cap-bound",
425 .data = &cap_bset,
426 .maxlen = sizeof(kernel_cap_t),
427 .mode = 0600,
428 .proc_handler = &proc_dointvec_bset,
429 },
430#endif /* def CONFIG_SECURITY_CAPABILITIES */
431#ifdef CONFIG_BLK_DEV_INITRD 422#ifdef CONFIG_BLK_DEV_INITRD
432 { 423 {
433 .ctl_name = KERN_REALROOTDEV, 424 .ctl_name = KERN_REALROOTDEV,
@@ -2096,26 +2087,6 @@ static int do_proc_dointvec_bset_conv(int *negp, unsigned long *lvalp,
2096 return 0; 2087 return 0;
2097} 2088}
2098 2089
2099#ifdef CONFIG_SECURITY_CAPABILITIES
2100/*
2101 * init may raise the set.
2102 */
2103
2104int proc_dointvec_bset(struct ctl_table *table, int write, struct file *filp,
2105 void __user *buffer, size_t *lenp, loff_t *ppos)
2106{
2107 int op;
2108
2109 if (write && !capable(CAP_SYS_MODULE)) {
2110 return -EPERM;
2111 }
2112
2113 op = is_global_init(current) ? OP_SET : OP_AND;
2114 return do_proc_dointvec(table,write,filp,buffer,lenp,ppos,
2115 do_proc_dointvec_bset_conv,&op);
2116}
2117#endif /* def CONFIG_SECURITY_CAPABILITIES */
2118
2119/* 2090/*
2120 * Taint values can only be increased 2091 * Taint values can only be increased
2121 */ 2092 */
@@ -2529,12 +2500,6 @@ int proc_dointvec(struct ctl_table *table, int write, struct file *filp,
2529 return -ENOSYS; 2500 return -ENOSYS;
2530} 2501}
2531 2502
2532int proc_dointvec_bset(struct ctl_table *table, int write, struct file *filp,
2533 void __user *buffer, size_t *lenp, loff_t *ppos)
2534{
2535 return -ENOSYS;
2536}
2537
2538int proc_dointvec_minmax(struct ctl_table *table, int write, struct file *filp, 2503int proc_dointvec_minmax(struct ctl_table *table, int write, struct file *filp,
2539 void __user *buffer, size_t *lenp, loff_t *ppos) 2504 void __user *buffer, size_t *lenp, loff_t *ppos)
2540{ 2505{
diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c
index c3206fa50048..006365b69eaf 100644
--- a/kernel/sysctl_check.c
+++ b/kernel/sysctl_check.c
@@ -37,10 +37,6 @@ static struct trans_ctl_table trans_kern_table[] = {
37 { KERN_NODENAME, "hostname" }, 37 { KERN_NODENAME, "hostname" },
38 { KERN_DOMAINNAME, "domainname" }, 38 { KERN_DOMAINNAME, "domainname" },
39 39
40#ifdef CONFIG_SECURITY_CAPABILITIES
41 { KERN_CAP_BSET, "cap-bound" },
42#endif /* def CONFIG_SECURITY_CAPABILITIES */
43
44 { KERN_PANIC, "panic" }, 40 { KERN_PANIC, "panic" },
45 { KERN_REALROOTDEV, "real-root-dev" }, 41 { KERN_REALROOTDEV, "real-root-dev" },
46 42
@@ -1498,9 +1494,6 @@ int sysctl_check_table(struct nsproxy *namespaces, struct ctl_table *table)
1498 (table->strategy == sysctl_ms_jiffies) || 1494 (table->strategy == sysctl_ms_jiffies) ||
1499 (table->proc_handler == proc_dostring) || 1495 (table->proc_handler == proc_dostring) ||
1500 (table->proc_handler == proc_dointvec) || 1496 (table->proc_handler == proc_dointvec) ||
1501#ifdef CONFIG_SECURITY_CAPABILITIES
1502 (table->proc_handler == proc_dointvec_bset) ||
1503#endif /* def CONFIG_SECURITY_CAPABILITIES */
1504 (table->proc_handler == proc_dointvec_minmax) || 1497 (table->proc_handler == proc_dointvec_minmax) ||
1505 (table->proc_handler == proc_dointvec_jiffies) || 1498 (table->proc_handler == proc_dointvec_jiffies) ||
1506 (table->proc_handler == proc_dointvec_userhz_jiffies) || 1499 (table->proc_handler == proc_dointvec_userhz_jiffies) ||
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-16 20:11:19 -0500