summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-01-03 12:25:15 -0500
committerEric Paris <eparis@redhat.com>2012-01-05 18:52:57 -0500
commit7b61d648499e74dbec3d4ce645675e0ae040ae78 (patch)
treedbf56a4e0cf344d22ac4deb71bb1a83ef02526e5
parent25e75703410a84b80623da3653db6b70282e5c6a (diff)
downloadop-kernel-dev-7b61d648499e74dbec3d4ce645675e0ae040ae78.zip
op-kernel-dev-7b61d648499e74dbec3d4ce645675e0ae040ae78.tar.gz
capabilites: introduce new has_ns_capabilities_noaudit
For consistency in interfaces, introduce a new interface called has_ns_capabilities_noaudit. It checks if the given task has the given capability in the given namespace. Use this new function by has_capabilities_noaudit. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
-rw-r--r--include/linux/capability.h2
-rw-r--r--kernel/capability.c30
2 files changed, 27 insertions, 5 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h
index c421123..63f59fa 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -543,6 +543,8 @@ extern bool has_capability(struct task_struct *t, int cap);
extern bool has_ns_capability(struct task_struct *t,
struct user_namespace *ns, int cap);
extern bool has_capability_noaudit(struct task_struct *t, int cap);
+extern bool has_ns_capability_noaudit(struct task_struct *t,
+ struct user_namespace *ns, int cap);
extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
extern bool task_ns_capable(struct task_struct *t, int cap);
diff --git a/kernel/capability.c b/kernel/capability.c
index fb815d1..d8398e9 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -325,28 +325,48 @@ bool has_capability(struct task_struct *t, int cap)
}
/**
- * has_capability_noaudit - Does a task have a capability (unaudited)
+ * has_ns_capability_noaudit - Does a task have a capability (unaudited)
+ * in a specific user ns.
* @t: The task in question
+ * @ns: target user namespace
* @cap: The capability to be tested for
*
* Return true if the specified task has the given superior capability
- * currently in effect to init_user_ns, false if not. Don't write an
- * audit message for the check.
+ * currently in effect to the specified user namespace, false if not.
+ * Do not write an audit message for the check.
*
* Note that this does not set PF_SUPERPRIV on the task.
*/
-bool has_capability_noaudit(struct task_struct *t, int cap)
+bool has_ns_capability_noaudit(struct task_struct *t,
+ struct user_namespace *ns, int cap)
{
int ret;
rcu_read_lock();
- ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap);
+ ret = security_capable_noaudit(__task_cred(t), ns, cap);
rcu_read_unlock();
return (ret == 0);
}
/**
+ * has_capability_noaudit - Does a task have a capability (unaudited) in the
+ * initial user ns
+ * @t: The task in question
+ * @cap: The capability to be tested for
+ *
+ * Return true if the specified task has the given superior capability
+ * currently in effect to init_user_ns, false if not. Don't write an
+ * audit message for the check.
+ *
+ * Note that this does not set PF_SUPERPRIV on the task.
+ */
+bool has_capability_noaudit(struct task_struct *t, int cap)
+{
+ return has_ns_capability_noaudit(t, &init_user_ns, cap);
+}
+
+/**
* capable - Determine if the current task has a superior capability in effect
* @cap: The capability to be tested for
*
OpenPOWER on IntegriCloud