diff options
| author | Eric Paris <eparis@redhat.com> | 2012-01-03 12:25:15 -0500 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2012-01-05 18:52:57 -0500 |
| commit | 7b61d648499e74dbec3d4ce645675e0ae040ae78 (patch) | |
| tree | dbf56a4e0cf344d22ac4deb71bb1a83ef02526e5 | |
| parent | 25e75703410a84b80623da3653db6b70282e5c6a (diff) | |
| download | op-kernel-dev-7b61d648499e74dbec3d4ce645675e0ae040ae78.zip op-kernel-dev-7b61d648499e74dbec3d4ce645675e0ae040ae78.tar.gz | |
capabilites: introduce new has_ns_capabilities_noaudit
For consistency in interfaces, introduce a new interface called
has_ns_capabilities_noaudit. It checks if the given task has the given
capability in the given namespace. Use this new function by
has_capabilities_noaudit.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
| -rw-r--r-- | include/linux/capability.h | 2 | ||||
| -rw-r--r-- | kernel/capability.c | 30 |
2 files changed, 27 insertions, 5 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h index c421123..63f59fa 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -543,6 +543,8 @@ extern bool has_capability(struct task_struct *t, int cap); extern bool has_ns_capability(struct task_struct *t, struct user_namespace *ns, int cap); extern bool has_capability_noaudit(struct task_struct *t, int cap); +extern bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap); extern bool capable(int cap); extern bool ns_capable(struct user_namespace *ns, int cap); extern bool task_ns_capable(struct task_struct *t, int cap); diff --git a/kernel/capability.c b/kernel/capability.c index fb815d1..d8398e9 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -325,28 +325,48 @@ bool has_capability(struct task_struct *t, int cap) } /** - * has_capability_noaudit - Does a task have a capability (unaudited) + * has_ns_capability_noaudit - Does a task have a capability (unaudited) + * in a specific user ns. * @t: The task in question + * @ns: target user namespace * @cap: The capability to be tested for * * Return true if the specified task has the given superior capability - * currently in effect to init_user_ns, false if not. Don't write an - * audit message for the check. + * currently in effect to the specified user namespace, false if not. + * Do not write an audit message for the check. * * Note that this does not set PF_SUPERPRIV on the task. */ -bool has_capability_noaudit(struct task_struct *t, int cap) +bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap) { int ret; rcu_read_lock(); - ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap); + ret = security_capable_noaudit(__task_cred(t), ns, cap); rcu_read_unlock(); return (ret == 0); } /** + * has_capability_noaudit - Does a task have a capability (unaudited) in the + * initial user ns + * @t: The task in question + * @cap: The capability to be tested for + * + * Return true if the specified task has the given superior capability + * currently in effect to init_user_ns, false if not. Don't write an + * audit message for the check. + * + * Note that this does not set PF_SUPERPRIV on the task. + */ +bool has_capability_noaudit(struct task_struct *t, int cap) +{ + return has_ns_capability_noaudit(t, &init_user_ns, cap); +} + +/** * capable - Determine if the current task has a superior capability in effect * @cap: The capability to be tested for * |
