aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c26
1 files changed, 20 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index df30a7555d8a..eb6c45107a05 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1433,12 +1433,13 @@ static int current_has_perm(const struct task_struct *tsk,
1433 1433
1434/* Check whether a task is allowed to use a capability. */ 1434/* Check whether a task is allowed to use a capability. */
1435static int task_has_capability(struct task_struct *tsk, 1435static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1436 int cap, int audit) 1437 int cap, int audit)
1437{ 1438{
1438 struct avc_audit_data ad; 1439 struct avc_audit_data ad;
1439 struct av_decision avd; 1440 struct av_decision avd;
1440 u16 sclass; 1441 u16 sclass;
1441 u32 sid = task_sid(tsk); 1442 u32 sid = cred_sid(cred);
1442 u32 av = CAP_TO_MASK(cap); 1443 u32 av = CAP_TO_MASK(cap);
1443 int rc; 1444 int rc;
1444 1445
@@ -1865,15 +1866,27 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1865 return cred_has_perm(old, new, PROCESS__SETCAP); 1866 return cred_has_perm(old, new, PROCESS__SETCAP);
1866} 1867}
1867 1868
1868static int selinux_capable(struct task_struct *tsk, int cap, int audit) 1869static int selinux_capable(int cap, int audit)
1870{
1871 int rc;
1872
1873 rc = secondary_ops->capable(cap, audit);
1874 if (rc)
1875 return rc;
1876
1877 return task_has_capability(current, current_cred(), cap, audit);
1878}
1879
1880static int selinux_task_capable(struct task_struct *tsk,
1881 const struct cred *cred, int cap, int audit)
1869{ 1882{
1870 int rc; 1883 int rc;
1871 1884
1872 rc = secondary_ops->capable(tsk, cap, audit); 1885 rc = secondary_ops->task_capable(tsk, cred, cap, audit);
1873 if (rc) 1886 if (rc)
1874 return rc; 1887 return rc;
1875 1888
1876 return task_has_capability(tsk, cap, audit); 1889 return task_has_capability(tsk, cred, cap, audit);
1877} 1890}
1878 1891
1879static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1892static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -2037,7 +2050,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2037{ 2050{
2038 int rc, cap_sys_admin = 0; 2051 int rc, cap_sys_admin = 0;
2039 2052
2040 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); 2053 rc = selinux_capable(CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2041 if (rc == 0) 2054 if (rc == 0)
2042 cap_sys_admin = 1; 2055 cap_sys_admin = 1;
2043 2056
@@ -2880,7 +2893,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2880 * and lack of permission just means that we fall back to the 2893 * and lack of permission just means that we fall back to the
2881 * in-core context value, not a denial. 2894 * in-core context value, not a denial.
2882 */ 2895 */
2883 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); 2896 error = selinux_capable(CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2884 if (!error) 2897 if (!error)
2885 error = security_sid_to_context_force(isec->sid, &context, 2898 error = security_sid_to_context_force(isec->sid, &context,
2886 &size); 2899 &size);
@@ -5568,6 +5581,7 @@ static struct security_operations selinux_ops = {
5568 .capset = selinux_capset, 5581 .capset = selinux_capset,
5569 .sysctl = selinux_sysctl, 5582 .sysctl = selinux_sysctl,
5570 .capable = selinux_capable, 5583 .capable = selinux_capable,
5584 .task_capable = selinux_task_capable,
5571 .quotactl = selinux_quotactl, 5585 .quotactl = selinux_quotactl,
5572 .quota_on = selinux_quota_on, 5586 .quota_on = selinux_quota_on,
5573 .syslog = selinux_syslog, 5587 .syslog = selinux_syslog,