aboutsummaryrefslogtreecommitdiffstats
path: root/security/commoncap.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/commoncap.c')
-rw-r--r--security/commoncap.c29
1 files changed, 8 insertions, 21 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 8283271f0768..e3f36ef629fa 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -96,15 +96,6 @@ int cap_capget (struct task_struct *target, kernel_cap_t *effective,
96 96
97#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 97#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
98 98
99static inline int cap_block_setpcap(struct task_struct *target)
100{
101 /*
102 * No support for remote process capability manipulation with
103 * filesystem capability support.
104 */
105 return (target != current);
106}
107
108static inline int cap_inh_is_capped(void) 99static inline int cap_inh_is_capped(void)
109{ 100{
110 /* 101 /*
@@ -119,7 +110,6 @@ static inline int cap_limit_ptraced_target(void) { return 1; }
119 110
120#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 111#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
121 112
122static inline int cap_block_setpcap(struct task_struct *t) { return 0; }
123static inline int cap_inh_is_capped(void) { return 1; } 113static inline int cap_inh_is_capped(void) { return 1; }
124static inline int cap_limit_ptraced_target(void) 114static inline int cap_limit_ptraced_target(void)
125{ 115{
@@ -128,21 +118,18 @@ static inline int cap_limit_ptraced_target(void)
128 118
129#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 119#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
130 120
131int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, 121int cap_capset_check (kernel_cap_t *effective,
132 kernel_cap_t *inheritable, kernel_cap_t *permitted) 122 kernel_cap_t *inheritable, kernel_cap_t *permitted)
133{ 123{
134 if (cap_block_setpcap(target)) {
135 return -EPERM;
136 }
137 if (cap_inh_is_capped() 124 if (cap_inh_is_capped()
138 && !cap_issubset(*inheritable, 125 && !cap_issubset(*inheritable,
139 cap_combine(target->cap_inheritable, 126 cap_combine(current->cap_inheritable,
140 current->cap_permitted))) { 127 current->cap_permitted))) {
141 /* incapable of using this inheritable set */ 128 /* incapable of using this inheritable set */
142 return -EPERM; 129 return -EPERM;
143 } 130 }
144 if (!cap_issubset(*inheritable, 131 if (!cap_issubset(*inheritable,
145 cap_combine(target->cap_inheritable, 132 cap_combine(current->cap_inheritable,
146 current->cap_bset))) { 133 current->cap_bset))) {
147 /* no new pI capabilities outside bounding set */ 134 /* no new pI capabilities outside bounding set */
148 return -EPERM; 135 return -EPERM;
@@ -150,7 +137,7 @@ int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
150 137
151 /* verify restrictions on target's new Permitted set */ 138 /* verify restrictions on target's new Permitted set */
152 if (!cap_issubset (*permitted, 139 if (!cap_issubset (*permitted,
153 cap_combine (target->cap_permitted, 140 cap_combine (current->cap_permitted,
154 current->cap_permitted))) { 141 current->cap_permitted))) {
155 return -EPERM; 142 return -EPERM;
156 } 143 }
@@ -163,12 +150,12 @@ int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
163 return 0; 150 return 0;
164} 151}
165 152
166void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, 153void cap_capset_set (kernel_cap_t *effective,
167 kernel_cap_t *inheritable, kernel_cap_t *permitted) 154 kernel_cap_t *inheritable, kernel_cap_t *permitted)
168{ 155{
169 target->cap_effective = *effective; 156 current->cap_effective = *effective;
170 target->cap_inheritable = *inheritable; 157 current->cap_inheritable = *inheritable;
171 target->cap_permitted = *permitted; 158 current->cap_permitted = *permitted;
172} 159}
173 160
174static inline void bprm_clear_caps(struct linux_binprm *bprm) 161static inline void bprm_clear_caps(struct linux_binprm *bprm)
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-28 05:26:54 -0500