aboutsummaryrefslogtreecommitdiffstats
path: root/security/commoncap.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/commoncap.c')
-rw-r--r--security/commoncap.c16
1 files changed, 7 insertions, 9 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index a93b3b733079..89f02ff66af9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -66,7 +66,6 @@ EXPORT_SYMBOL(cap_netlink_recv);
66 66
67/** 67/**
68 * cap_capable - Determine whether a task has a particular effective capability 68 * cap_capable - Determine whether a task has a particular effective capability
69 * @tsk: The task to query
70 * @cred: The credentials to use 69 * @cred: The credentials to use
71 * @ns: The user namespace in which we need the capability 70 * @ns: The user namespace in which we need the capability
72 * @cap: The capability to check for 71 * @cap: The capability to check for
@@ -80,8 +79,8 @@ EXPORT_SYMBOL(cap_netlink_recv);
80 * cap_has_capability() returns 0 when a task has a capability, but the 79 * cap_has_capability() returns 0 when a task has a capability, but the
81 * kernel's capable() and has_capability() returns 1 for this case. 80 * kernel's capable() and has_capability() returns 1 for this case.
82 */ 81 */
83int cap_capable(struct task_struct *tsk, const struct cred *cred, 82int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
84 struct user_namespace *targ_ns, int cap, int audit) 83 int cap, int audit)
85{ 84{
86 for (;;) { 85 for (;;) {
87 /* The creator of the user namespace has all caps. */ 86 /* The creator of the user namespace has all caps. */
@@ -222,9 +221,8 @@ static inline int cap_inh_is_capped(void)
222 /* they are so limited unless the current task has the CAP_SETPCAP 221 /* they are so limited unless the current task has the CAP_SETPCAP
223 * capability 222 * capability
224 */ 223 */
225 if (cap_capable(current, current_cred(), 224 if (cap_capable(current_cred(), current_cred()->user->user_ns,
226 current_cred()->user->user_ns, CAP_SETPCAP, 225 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
227 SECURITY_CAP_AUDIT) == 0)
228 return 0; 226 return 0;
229 return 1; 227 return 1;
230} 228}
@@ -870,7 +868,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
870 & (new->securebits ^ arg2)) /*[1]*/ 868 & (new->securebits ^ arg2)) /*[1]*/
871 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 869 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
872 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 870 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
873 || (cap_capable(current, current_cred(), 871 || (cap_capable(current_cred(),
874 current_cred()->user->user_ns, CAP_SETPCAP, 872 current_cred()->user->user_ns, CAP_SETPCAP,
875 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 873 SECURITY_CAP_AUDIT) != 0) /*[4]*/
876 /* 874 /*
@@ -936,7 +934,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
936{ 934{
937 int cap_sys_admin = 0; 935 int cap_sys_admin = 0;
938 936
939 if (cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_ADMIN, 937 if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
940 SECURITY_CAP_NOAUDIT) == 0) 938 SECURITY_CAP_NOAUDIT) == 0)
941 cap_sys_admin = 1; 939 cap_sys_admin = 1;
942 return __vm_enough_memory(mm, pages, cap_sys_admin); 940 return __vm_enough_memory(mm, pages, cap_sys_admin);
@@ -963,7 +961,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
963 int ret = 0; 961 int ret = 0;
964 962
965 if (addr < dac_mmap_min_addr) { 963 if (addr < dac_mmap_min_addr) {
966 ret = cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_RAWIO, 964 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
967 SECURITY_CAP_AUDIT); 965 SECURITY_CAP_AUDIT);
968 /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 966 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
969 if (ret == 0) 967 if (ret == 0)
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-20 05:18:40 -0400