LSM: generalize flag passing to security_capable

[platform/kernel/linux-rpi.git] / kernel / capability.c

diff --git a/kernel/capability.c b/kernel/capability.c
index 1e1c023..7718d7d 100644 (file)
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -299,7 +299,7 @@ bool has_ns_capability(struct task_struct *t,
        int ret;
 
        rcu_read_lock();
-       ret = security_capable(__task_cred(t), ns, cap);
+       ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NONE);
        rcu_read_unlock();
 
        return (ret == 0);
@@ -340,7 +340,7 @@ bool has_ns_capability_noaudit(struct task_struct *t,
        int ret;
 
        rcu_read_lock();
-       ret = security_capable_noaudit(__task_cred(t), ns, cap);
+       ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NOAUDIT);
        rcu_read_unlock();
 
        return (ret == 0);
@@ -363,7 +363,9 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
        return has_ns_capability_noaudit(t, &init_user_ns, cap);
 }
 
-static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
+static bool ns_capable_common(struct user_namespace *ns,
+                             int cap,
+                             unsigned int opts)
 {
        int capable;
 
@@ -372,8 +374,7 @@ static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
                BUG();
        }
 
-       capable = audit ? security_capable(current_cred(), ns, cap) :
-                         security_capable_noaudit(current_cred(), ns, cap);
+       capable = security_capable(current_cred(), ns, cap, opts);
        if (capable == 0) {
                current->flags |= PF_SUPERPRIV;
                return true;
@@ -394,7 +395,7 @@ static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
  */
 bool ns_capable(struct user_namespace *ns, int cap)
 {
-       return ns_capable_common(ns, cap, true);
+       return ns_capable_common(ns, cap, CAP_OPT_NONE);
 }
 EXPORT_SYMBOL(ns_capable);
 
@@ -412,7 +413,7 @@ EXPORT_SYMBOL(ns_capable);
  */
 bool ns_capable_noaudit(struct user_namespace *ns, int cap)
 {
-       return ns_capable_common(ns, cap, false);
+       return ns_capable_common(ns, cap, CAP_OPT_NOAUDIT);
 }
 EXPORT_SYMBOL(ns_capable_noaudit);
 
@@ -448,10 +449,11 @@ EXPORT_SYMBOL(capable);
 bool file_ns_capable(const struct file *file, struct user_namespace *ns,
                     int cap)
 {
+
        if (WARN_ON_ONCE(!cap_valid(cap)))
                return false;
 
-       if (security_capable(file->f_cred, ns, cap) == 0)
+       if (security_capable(file->f_cred, ns, cap, CAP_OPT_NONE) == 0)
                return true;
 
        return false;
@@ -500,10 +502,12 @@ bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
 {
        int ret = 0;  /* An absent tracer adds no restrictions */
        const struct cred *cred;
+
        rcu_read_lock();
        cred = rcu_dereference(tsk->ptracer_cred);
        if (cred)
-               ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE);
+               ret = security_capable(cred, ns, CAP_SYS_PTRACE,
+                                      CAP_OPT_NOAUDIT);
        rcu_read_unlock();
        return (ret == 0);
 }