Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

capabilites: introduce new has_ns_capabilities_noaudit

For consistency in interfaces, introduce a new interface called
has_ns_capabilities_noaudit.  It checks if the given task has the given
capability in the given namespace.  Use this new function by
has_capabilities_noaudit.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Eric Paris 13 years ago
parent
25e7570341
commit
7b61d64849
2 changed files with 27 additions and 5 deletions
Split View Show Diff Stats
  1. 2 0
      include/linux/capability.h
  2. 25 5
      kernel/capability.c

+ 2 - 0
include/linux/capability.h
View File 

@@ -543,6 +543,8 @@ extern bool has_capability(struct task_struct *t, int cap);
 
 extern bool has_ns_capability(struct task_struct *t,
 
 			      struct user_namespace *ns, int cap);
 
 extern bool has_capability_noaudit(struct task_struct *t, int cap);
 
+extern bool has_ns_capability_noaudit(struct task_struct *t,
 
+				      struct user_namespace *ns, int cap);
 
 extern bool capable(int cap);
 
 extern bool ns_capable(struct user_namespace *ns, int cap);
 
 extern bool task_ns_capable(struct task_struct *t, int cap);

+ 25 - 5
kernel/capability.c
View File 

@@ -325,27 +325,47 @@ bool has_capability(struct task_struct *t, int cap)
 
 }
 
 
 /**
 
- * has_capability_noaudit - Does a task have a capability (unaudited)
 
+ * has_ns_capability_noaudit - Does a task have a capability (unaudited)
 
+ * in a specific user ns.
 
  * @t: The task in question
 
+ * @ns: target user namespace
 
  * @cap: The capability to be tested for
 
  *
 
  * Return true if the specified task has the given superior capability
 
- * currently in effect to init_user_ns, false if not.  Don't write an
 
- * audit message for the check.
 
+ * currently in effect to the specified user namespace, false if not.
 
+ * Do not write an audit message for the check.
 
  *
 
  * Note that this does not set PF_SUPERPRIV on the task.
 
  */
 
-bool has_capability_noaudit(struct task_struct *t, int cap)
 
+bool has_ns_capability_noaudit(struct task_struct *t,
 
+			       struct user_namespace *ns, int cap)
 
 {
 
 	int ret;
 
 
 	rcu_read_lock();
 
-	ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap);
 
+	ret = security_capable_noaudit(__task_cred(t), ns, cap);
 
 	rcu_read_unlock();
 
 
 	return (ret == 0);
 
 }
 
 
+/**
 
+ * has_capability_noaudit - Does a task have a capability (unaudited) in the
 
+ * initial user ns
 
+ * @t: The task in question
 
+ * @cap: The capability to be tested for
 
+ *
 
+ * Return true if the specified task has the given superior capability
 
+ * currently in effect to init_user_ns, false if not.  Don't write an
 
+ * audit message for the check.
 
+ *
 
+ * Note that this does not set PF_SUPERPRIV on the task.
 
+ */
 
+bool has_capability_noaudit(struct task_struct *t, int cap)
 
+{
 
+	return has_ns_capability_noaudit(t, &init_user_ns, cap);
 
+}
 
+
 
 /**
 
  * capable - Determine if the current task has a superior capability in effect
 
  * @cap: The capability to be tested for