diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index df30a7555d8a..eb6c45107a05 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1433,12 +1433,13 @@ static int current_has_perm(const struct task_struct *tsk, | |||
1433 | 1433 | ||
1434 | /* Check whether a task is allowed to use a capability. */ | 1434 | /* Check whether a task is allowed to use a capability. */ |
1435 | static int task_has_capability(struct task_struct *tsk, | 1435 | static int task_has_capability(struct task_struct *tsk, |
1436 | const struct cred *cred, | ||
1436 | int cap, int audit) | 1437 | int cap, int audit) |
1437 | { | 1438 | { |
1438 | struct avc_audit_data ad; | 1439 | struct avc_audit_data ad; |
1439 | struct av_decision avd; | 1440 | struct av_decision avd; |
1440 | u16 sclass; | 1441 | u16 sclass; |
1441 | u32 sid = task_sid(tsk); | 1442 | u32 sid = cred_sid(cred); |
1442 | u32 av = CAP_TO_MASK(cap); | 1443 | u32 av = CAP_TO_MASK(cap); |
1443 | int rc; | 1444 | int rc; |
1444 | 1445 | ||
@@ -1865,15 +1866,27 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
1865 | return cred_has_perm(old, new, PROCESS__SETCAP); | 1866 | return cred_has_perm(old, new, PROCESS__SETCAP); |
1866 | } | 1867 | } |
1867 | 1868 | ||
1868 | static int selinux_capable(struct task_struct *tsk, int cap, int audit) | 1869 | static int selinux_capable(int cap, int audit) |
1870 | { | ||
1871 | int rc; | ||
1872 | |||
1873 | rc = secondary_ops->capable(cap, audit); | ||
1874 | if (rc) | ||
1875 | return rc; | ||
1876 | |||
1877 | return task_has_capability(current, current_cred(), cap, audit); | ||
1878 | } | ||
1879 | |||
1880 | static int selinux_task_capable(struct task_struct *tsk, | ||
1881 | const struct cred *cred, int cap, int audit) | ||
1869 | { | 1882 | { |
1870 | int rc; | 1883 | int rc; |
1871 | 1884 | ||
1872 | rc = secondary_ops->capable(tsk, cap, audit); | 1885 | rc = secondary_ops->task_capable(tsk, cred, cap, audit); |
1873 | if (rc) | 1886 | if (rc) |
1874 | return rc; | 1887 | return rc; |
1875 | 1888 | ||
1876 | return task_has_capability(tsk, cap, audit); | 1889 | return task_has_capability(tsk, cred, cap, audit); |
1877 | } | 1890 | } |
1878 | 1891 | ||
1879 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) | 1892 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) |
@@ -2037,7 +2050,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) | |||
2037 | { | 2050 | { |
2038 | int rc, cap_sys_admin = 0; | 2051 | int rc, cap_sys_admin = 0; |
2039 | 2052 | ||
2040 | rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); | 2053 | rc = selinux_capable(CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); |
2041 | if (rc == 0) | 2054 | if (rc == 0) |
2042 | cap_sys_admin = 1; | 2055 | cap_sys_admin = 1; |
2043 | 2056 | ||
@@ -2880,7 +2893,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name | |||
2880 | * and lack of permission just means that we fall back to the | 2893 | * and lack of permission just means that we fall back to the |
2881 | * in-core context value, not a denial. | 2894 | * in-core context value, not a denial. |
2882 | */ | 2895 | */ |
2883 | error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); | 2896 | error = selinux_capable(CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); |
2884 | if (!error) | 2897 | if (!error) |
2885 | error = security_sid_to_context_force(isec->sid, &context, | 2898 | error = security_sid_to_context_force(isec->sid, &context, |
2886 | &size); | 2899 | &size); |
@@ -5568,6 +5581,7 @@ static struct security_operations selinux_ops = { | |||
5568 | .capset = selinux_capset, | 5581 | .capset = selinux_capset, |
5569 | .sysctl = selinux_sysctl, | 5582 | .sysctl = selinux_sysctl, |
5570 | .capable = selinux_capable, | 5583 | .capable = selinux_capable, |
5584 | .task_capable = selinux_task_capable, | ||
5571 | .quotactl = selinux_quotactl, | 5585 | .quotactl = selinux_quotactl, |
5572 | .quota_on = selinux_quota_on, | 5586 | .quota_on = selinux_quota_on, |
5573 | .syslog = selinux_syslog, | 5587 | .syslog = selinux_syslog, |