diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6475e1f0223e..c67f863d3546 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -79,6 +79,7 @@ | |||
| 79 | #include <linux/mutex.h> | 79 | #include <linux/mutex.h> |
| 80 | #include <linux/posix-timers.h> | 80 | #include <linux/posix-timers.h> |
| 81 | #include <linux/syslog.h> | 81 | #include <linux/syslog.h> |
| 82 | #include <linux/user_namespace.h> | ||
| 82 | 83 | ||
| 83 | #include "avc.h" | 84 | #include "avc.h" |
| 84 | #include "objsec.h" | 85 | #include "objsec.h" |
| @@ -1846,11 +1847,11 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
| 1846 | */ | 1847 | */ |
| 1847 | 1848 | ||
| 1848 | static int selinux_capable(struct task_struct *tsk, const struct cred *cred, | 1849 | static int selinux_capable(struct task_struct *tsk, const struct cred *cred, |
| 1849 | int cap, int audit) | 1850 | struct user_namespace *ns, int cap, int audit) |
| 1850 | { | 1851 | { |
| 1851 | int rc; | 1852 | int rc; |
| 1852 | 1853 | ||
| 1853 | rc = cap_capable(tsk, cred, cap, audit); | 1854 | rc = cap_capable(tsk, cred, ns, cap, audit); |
| 1854 | if (rc) | 1855 | if (rc) |
| 1855 | return rc; | 1856 | return rc; |
| 1856 | 1857 | ||
| @@ -1931,7 +1932,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) | |||
| 1931 | { | 1932 | { |
| 1932 | int rc, cap_sys_admin = 0; | 1933 | int rc, cap_sys_admin = 0; |
| 1933 | 1934 | ||
| 1934 | rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN, | 1935 | rc = selinux_capable(current, current_cred(), |
| 1936 | &init_user_ns, CAP_SYS_ADMIN, | ||
| 1935 | SECURITY_CAP_NOAUDIT); | 1937 | SECURITY_CAP_NOAUDIT); |
| 1936 | if (rc == 0) | 1938 | if (rc == 0) |
| 1937 | cap_sys_admin = 1; | 1939 | cap_sys_admin = 1; |
| @@ -2834,7 +2836,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name | |||
| 2834 | * and lack of permission just means that we fall back to the | 2836 | * and lack of permission just means that we fall back to the |
| 2835 | * in-core context value, not a denial. | 2837 | * in-core context value, not a denial. |
| 2836 | */ | 2838 | */ |
| 2837 | error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN, | 2839 | error = selinux_capable(current, current_cred(), |
| 2840 | &init_user_ns, CAP_MAC_ADMIN, | ||
| 2838 | SECURITY_CAP_NOAUDIT); | 2841 | SECURITY_CAP_NOAUDIT); |
| 2839 | if (!error) | 2842 | if (!error) |
| 2840 | error = security_sid_to_context_force(isec->sid, &context, | 2843 | error = security_sid_to_context_force(isec->sid, &context, |
| @@ -2968,7 +2971,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, | |||
| 2968 | case KDSKBENT: | 2971 | case KDSKBENT: |
| 2969 | case KDSKBSENT: | 2972 | case KDSKBSENT: |
| 2970 | error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG, | 2973 | error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG, |
| 2971 | SECURITY_CAP_AUDIT); | 2974 | SECURITY_CAP_AUDIT); |
| 2972 | break; | 2975 | break; |
| 2973 | 2976 | ||
| 2974 | /* default case assumes that the command will go | 2977 | /* default case assumes that the command will go |