summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Mackerras <paulus@samba.org>2008-01-24 10:07:21 +1100
committerPaul Mackerras <paulus@samba.org>2008-01-24 10:07:21 +1100
commit9156ad48338e0306e508ead5c0d9986050744475 (patch)
tree37f3a90e38190052ecf3cdf9171dfdddd37b56fd /security
parentfa28237cfcc5827553044cbd6ee52e33692b0faa (diff)
parent8f7b3d156d348b6766833cd4e272d0d19b501e64 (diff)
downloadop-kernel-dev-9156ad48338e0306e508ead5c0d9986050744475.zip
op-kernel-dev-9156ad48338e0306e508ead5c0d9986050744475.tar.gz
Merge branch 'linux-2.6'
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c13
-rw-r--r--security/selinux/netlabel.c7
-rw-r--r--security/selinux/ss/services.c2
3 files changed, 15 insertions, 7 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 5bc1895..ea61bc7 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -59,6 +59,12 @@ int cap_netlink_recv(struct sk_buff *skb, int cap)
EXPORT_SYMBOL(cap_netlink_recv);
+/*
+ * NOTE WELL: cap_capable() cannot be used like the kernel's capable()
+ * function. That is, it has the reverse semantics: cap_capable()
+ * returns 0 when a task has a capability, but the kernel's capable()
+ * returns 1 for this case.
+ */
int cap_capable (struct task_struct *tsk, int cap)
{
/* Derived from include/linux/sched.h:capable. */
@@ -107,10 +113,11 @@ static inline int cap_block_setpcap(struct task_struct *target)
static inline int cap_inh_is_capped(void)
{
/*
- * return 1 if changes to the inheritable set are limited
- * to the old permitted set.
+ * Return 1 if changes to the inheritable set are limited
+ * to the old permitted set. That is, if the current task
+ * does *not* possess the CAP_SETPCAP capability.
*/
- return !cap_capable(current, CAP_SETPCAP);
+ return (cap_capable(current, CAP_SETPCAP) != 0);
}
#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index d243ddc..66e013d 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -53,10 +53,11 @@ static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid)
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr;
+ netlbl_secattr_init(&secattr);
+
rc = security_netlbl_sid_to_secattr(sid, &secattr);
if (rc != 0)
- return rc;
-
+ goto sock_setsid_return;
rc = netlbl_sock_setattr(sk, &secattr);
if (rc == 0) {
spin_lock_bh(&sksec->nlbl_lock);
@@ -64,6 +65,8 @@ static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid)
spin_unlock_bh(&sksec->nlbl_lock);
}
+sock_setsid_return:
+ netlbl_secattr_destroy(&secattr);
return rc;
}
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index d572dc9..f83b19d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2606,8 +2606,6 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
int rc = -ENOENT;
struct context *ctx;
- netlbl_secattr_init(secattr);
-
if (!ss_initialized)
return 0;
OpenPOWER on IntegriCloud