aboutsummaryrefslogtreecommitdiffstats
path: root/security/commoncap.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/commoncap.c')
-rw-r--r--security/commoncap.c72
1 files changed, 2 insertions, 70 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 45b87af4ae5d..f800fdb3de94 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -173,7 +173,6 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective,
173 */ 173 */
174static inline int cap_inh_is_capped(void) 174static inline int cap_inh_is_capped(void)
175{ 175{
176#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
177 176
178 /* they are so limited unless the current task has the CAP_SETPCAP 177 /* they are so limited unless the current task has the CAP_SETPCAP
179 * capability 178 * capability
@@ -181,7 +180,6 @@ static inline int cap_inh_is_capped(void)
181 if (cap_capable(current, current_cred(), CAP_SETPCAP, 180 if (cap_capable(current, current_cred(), CAP_SETPCAP,
182 SECURITY_CAP_AUDIT) == 0) 181 SECURITY_CAP_AUDIT) == 0)
183 return 0; 182 return 0;
184#endif
185 return 1; 183 return 1;
186} 184}
187 185
@@ -239,8 +237,6 @@ static inline void bprm_clear_caps(struct linux_binprm *bprm)
239 bprm->cap_effective = false; 237 bprm->cap_effective = false;
240} 238}
241 239
242#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
243
244/** 240/**
245 * cap_inode_need_killpriv - Determine if inode change affects privileges 241 * cap_inode_need_killpriv - Determine if inode change affects privileges
246 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 242 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
@@ -421,49 +417,6 @@ out:
421 return rc; 417 return rc;
422} 418}
423 419
424#else
425int cap_inode_need_killpriv(struct dentry *dentry)
426{
427 return 0;
428}
429
430int cap_inode_killpriv(struct dentry *dentry)
431{
432 return 0;
433}
434
435int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
436{
437 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
438 return -ENODATA;
439}
440
441static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
442{
443 bprm_clear_caps(bprm);
444 return 0;
445}
446#endif
447
448/*
449 * Determine whether a exec'ing process's new permitted capabilities should be
450 * limited to just what it already has.
451 *
452 * This prevents processes that are being ptraced from gaining access to
453 * CAP_SETPCAP, unless the process they're tracing already has it, and the
454 * binary they're executing has filecaps that elevate it.
455 *
456 * Returns 1 if they should be limited, 0 if they are not.
457 */
458static inline int cap_limit_ptraced_target(void)
459{
460#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
461 if (capable(CAP_SETPCAP))
462 return 0;
463#endif
464 return 1;
465}
466
467/** 420/**
468 * cap_bprm_set_creds - Set up the proposed credentials for execve(). 421 * cap_bprm_set_creds - Set up the proposed credentials for execve().
469 * @bprm: The execution parameters, including the proposed creds 422 * @bprm: The execution parameters, including the proposed creds
@@ -523,9 +476,8 @@ skip:
523 new->euid = new->uid; 476 new->euid = new->uid;
524 new->egid = new->gid; 477 new->egid = new->gid;
525 } 478 }
526 if (cap_limit_ptraced_target()) 479 new->cap_permitted = cap_intersect(new->cap_permitted,
527 new->cap_permitted = cap_intersect(new->cap_permitted, 480 old->cap_permitted);
528 old->cap_permitted);
529 } 481 }
530 482
531 new->suid = new->fsuid = new->euid; 483 new->suid = new->fsuid = new->euid;
@@ -739,7 +691,6 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
739 return 0; 691 return 0;
740} 692}
741 693
742#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
743/* 694/*
744 * Rationale: code calling task_setscheduler, task_setioprio, and 695 * Rationale: code calling task_setscheduler, task_setioprio, and
745 * task_setnice, assumes that 696 * task_setnice, assumes that
@@ -820,22 +771,6 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap)
820 return 0; 771 return 0;
821} 772}
822 773
823#else
824int cap_task_setscheduler (struct task_struct *p, int policy,
825 struct sched_param *lp)
826{
827 return 0;
828}
829int cap_task_setioprio (struct task_struct *p, int ioprio)
830{
831 return 0;
832}
833int cap_task_setnice (struct task_struct *p, int nice)
834{
835 return 0;
836}
837#endif
838
839/** 774/**
840 * cap_task_prctl - Implement process control functions for this security module 775 * cap_task_prctl - Implement process control functions for this security module
841 * @option: The process control function requested 776 * @option: The process control function requested
@@ -866,7 +801,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
866 error = !!cap_raised(new->cap_bset, arg2); 801 error = !!cap_raised(new->cap_bset, arg2);
867 goto no_change; 802 goto no_change;
868 803
869#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
870 case PR_CAPBSET_DROP: 804 case PR_CAPBSET_DROP:
871 error = cap_prctl_drop(new, arg2); 805 error = cap_prctl_drop(new, arg2);
872 if (error < 0) 806 if (error < 0)
@@ -917,8 +851,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
917 error = new->securebits; 851 error = new->securebits;
918 goto no_change; 852 goto no_change;
919 853
920#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
921
922 case PR_GET_KEEPCAPS: 854 case PR_GET_KEEPCAPS:
923 if (issecure(SECURE_KEEP_CAPS)) 855 if (issecure(SECURE_KEEP_CAPS))
924 error = 1; 856 error = 1;