diff options
| author | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2017-01-30 09:00:02 +0100 |
|---|---|---|
| committer | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2017-01-30 09:00:02 +0100 |
| commit | 858a0d7eb5300b5f620d98ab3c4b96c9d5f19131 (patch) | |
| tree | 79ad2ecb357183384b172155e44df71c86e24e49 /kernel/capability.c | |
| parent | e326ce013a8e851193eb337aafb1aa396c533a61 (diff) | |
| parent | 47087eeb744c83482774e8f6dc20cf2b11fff53f (diff) | |
| download | talos-op-linux-858a0d7eb5300b5f620d98ab3c4b96c9d5f19131.tar.gz talos-op-linux-858a0d7eb5300b5f620d98ab3c4b96c9d5f19131.zip | |
Merge back earlier suspend/hibernation changes for v4.11.
Diffstat (limited to 'kernel/capability.c')
| -rw-r--r-- | kernel/capability.c | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/kernel/capability.c b/kernel/capability.c index 00411c82dac5..f97fe77ceb88 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -17,7 +17,7 @@ #include <linux/syscalls.h> #include <linux/pid_namespace.h> #include <linux/user_namespace.h> -#include <asm/uaccess.h> +#include <linux/uaccess.h> /* * Leveraged for setting/resetting capabilities @@ -318,6 +318,7 @@ bool has_capability(struct task_struct *t, int cap) { return has_ns_capability(t, &init_user_ns, cap); } +EXPORT_SYMBOL(has_capability); /** * has_ns_capability_noaudit - Does a task have a capability (unaudited) @@ -457,6 +458,19 @@ bool file_ns_capable(const struct file *file, struct user_namespace *ns, EXPORT_SYMBOL(file_ns_capable); /** + * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode? + * @ns: The user namespace in question + * @inode: The inode in question + * + * Return true if the inode uid and gid are within the namespace. + */ +bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode) +{ + return kuid_has_mapping(ns, inode->i_uid) && + kgid_has_mapping(ns, inode->i_gid); +} + +/** * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped * @inode: The inode in question * @cap: The capability in question @@ -469,7 +483,26 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) { struct user_namespace *ns = current_user_ns(); - return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && - kgid_has_mapping(ns, inode->i_gid); + return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode); } EXPORT_SYMBOL(capable_wrt_inode_uidgid); + +/** + * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace + * @tsk: The task that may be ptraced + * @ns: The user namespace to search for CAP_SYS_PTRACE in + * + * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE + * in the specified user namespace. + */ +bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns) +{ + int ret = 0; /* An absent tracer adds no restrictions */ + const struct cred *cred; + rcu_read_lock(); + cred = rcu_dereference(tsk->ptracer_cred); + if (cred) + ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE); + rcu_read_unlock(); + return (ret == 0); +} |
