diff options
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a7..8b3e10e2eac7 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | |||
| 81 | return 0; | 81 | return 0; |
| 82 | 82 | ||
| 83 | /* Do we have the necessary capabilities? */ | 83 | /* Do we have the necessary capabilities? */ |
| 84 | if (targ_ns == cred->user->user_ns) | 84 | if (targ_ns == cred->user_ns) |
| 85 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; | 85 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; |
| 86 | 86 | ||
| 87 | /* Have we tried all of the parent namespaces? */ | 87 | /* Have we tried all of the parent namespaces? */ |
| @@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) | |||
| 136 | rcu_read_lock(); | 136 | rcu_read_lock(); |
| 137 | cred = current_cred(); | 137 | cred = current_cred(); |
| 138 | child_cred = __task_cred(child); | 138 | child_cred = __task_cred(child); |
| 139 | if (cred->user->user_ns == child_cred->user->user_ns && | 139 | if (cred->user_ns == child_cred->user_ns && |
| 140 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) | 140 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
| 141 | goto out; | 141 | goto out; |
| 142 | if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)) | 142 | if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) |
| 143 | goto out; | 143 | goto out; |
| 144 | ret = -EPERM; | 144 | ret = -EPERM; |
| 145 | out: | 145 | out: |
| @@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent) | |||
| 168 | rcu_read_lock(); | 168 | rcu_read_lock(); |
| 169 | cred = __task_cred(parent); | 169 | cred = __task_cred(parent); |
| 170 | child_cred = current_cred(); | 170 | child_cred = current_cred(); |
| 171 | if (cred->user->user_ns == child_cred->user->user_ns && | 171 | if (cred->user_ns == child_cred->user_ns && |
| 172 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) | 172 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
| 173 | goto out; | 173 | goto out; |
| 174 | if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)) | 174 | if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE)) |
| 175 | goto out; | 175 | goto out; |
| 176 | ret = -EPERM; | 176 | ret = -EPERM; |
| 177 | out: | 177 | out: |
| @@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void) | |||
| 214 | /* they are so limited unless the current task has the CAP_SETPCAP | 214 | /* they are so limited unless the current task has the CAP_SETPCAP |
| 215 | * capability | 215 | * capability |
| 216 | */ | 216 | */ |
| 217 | if (cap_capable(current_cred(), current_cred()->user->user_ns, | 217 | if (cap_capable(current_cred(), current_cred()->user_ns, |
| 218 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) | 218 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) |
| 219 | return 0; | 219 | return 0; |
| 220 | return 1; | 220 | return 1; |
| @@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
| 866 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ | 866 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ |
| 867 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 867 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
| 868 | || (cap_capable(current_cred(), | 868 | || (cap_capable(current_cred(), |
| 869 | current_cred()->user->user_ns, CAP_SETPCAP, | 869 | current_cred()->user_ns, CAP_SETPCAP, |
| 870 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ | 870 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ |
| 871 | /* | 871 | /* |
| 872 | * [1] no changing of bits that are locked | 872 | * [1] no changing of bits that are locked |