diff options
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 24 |
1 files changed, 7 insertions, 17 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index ee4f8486e5f5..7ce191ea29a0 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -56,17 +56,8 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb) | |||
| 56 | return 0; | 56 | return 0; |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | int cap_netlink_recv(struct sk_buff *skb, int cap) | ||
| 60 | { | ||
| 61 | if (!cap_raised(current_cap(), cap)) | ||
| 62 | return -EPERM; | ||
| 63 | return 0; | ||
| 64 | } | ||
| 65 | EXPORT_SYMBOL(cap_netlink_recv); | ||
| 66 | |||
| 67 | /** | 59 | /** |
| 68 | * cap_capable - Determine whether a task has a particular effective capability | 60 | * cap_capable - Determine whether a task has a particular effective capability |
| 69 | * @tsk: The task to query | ||
| 70 | * @cred: The credentials to use | 61 | * @cred: The credentials to use |
| 71 | * @ns: The user namespace in which we need the capability | 62 | * @ns: The user namespace in which we need the capability |
| 72 | * @cap: The capability to check for | 63 | * @cap: The capability to check for |
| @@ -80,8 +71,8 @@ EXPORT_SYMBOL(cap_netlink_recv); | |||
| 80 | * cap_has_capability() returns 0 when a task has a capability, but the | 71 | * cap_has_capability() returns 0 when a task has a capability, but the |
| 81 | * kernel's capable() and has_capability() returns 1 for this case. | 72 | * kernel's capable() and has_capability() returns 1 for this case. |
| 82 | */ | 73 | */ |
| 83 | int cap_capable(struct task_struct *tsk, const struct cred *cred, | 74 | int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, |
| 84 | struct user_namespace *targ_ns, int cap, int audit) | 75 | int cap, int audit) |
| 85 | { | 76 | { |
| 86 | for (;;) { | 77 | for (;;) { |
| 87 | /* The creator of the user namespace has all caps. */ | 78 | /* The creator of the user namespace has all caps. */ |
| @@ -222,9 +213,8 @@ static inline int cap_inh_is_capped(void) | |||
| 222 | /* they are so limited unless the current task has the CAP_SETPCAP | 213 | /* they are so limited unless the current task has the CAP_SETPCAP |
| 223 | * capability | 214 | * capability |
| 224 | */ | 215 | */ |
| 225 | if (cap_capable(current, current_cred(), | 216 | if (cap_capable(current_cred(), current_cred()->user->user_ns, |
| 226 | current_cred()->user->user_ns, CAP_SETPCAP, | 217 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) |
| 227 | SECURITY_CAP_AUDIT) == 0) | ||
| 228 | return 0; | 218 | return 0; |
| 229 | return 1; | 219 | return 1; |
| 230 | } | 220 | } |
| @@ -874,7 +864,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
| 874 | & (new->securebits ^ arg2)) /*[1]*/ | 864 | & (new->securebits ^ arg2)) /*[1]*/ |
| 875 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ | 865 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ |
| 876 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 866 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
| 877 | || (cap_capable(current, current_cred(), | 867 | || (cap_capable(current_cred(), |
| 878 | current_cred()->user->user_ns, CAP_SETPCAP, | 868 | current_cred()->user->user_ns, CAP_SETPCAP, |
| 879 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ | 869 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ |
| 880 | /* | 870 | /* |
| @@ -940,7 +930,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages) | |||
| 940 | { | 930 | { |
| 941 | int cap_sys_admin = 0; | 931 | int cap_sys_admin = 0; |
| 942 | 932 | ||
| 943 | if (cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_ADMIN, | 933 | if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, |
| 944 | SECURITY_CAP_NOAUDIT) == 0) | 934 | SECURITY_CAP_NOAUDIT) == 0) |
| 945 | cap_sys_admin = 1; | 935 | cap_sys_admin = 1; |
| 946 | return __vm_enough_memory(mm, pages, cap_sys_admin); | 936 | return __vm_enough_memory(mm, pages, cap_sys_admin); |
| @@ -967,7 +957,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot, | |||
| 967 | int ret = 0; | 957 | int ret = 0; |
| 968 | 958 | ||
| 969 | if (addr < dac_mmap_min_addr) { | 959 | if (addr < dac_mmap_min_addr) { |
| 970 | ret = cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_RAWIO, | 960 | ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO, |
| 971 | SECURITY_CAP_AUDIT); | 961 | SECURITY_CAP_AUDIT); |
| 972 | /* set PF_SUPERPRIV if it turns out we allow the low mmap */ | 962 | /* set PF_SUPERPRIV if it turns out we allow the low mmap */ |
| 973 | if (ret == 0) | 963 | if (ret == 0) |