capabilites: introduce new has_ns_capabilities_noaudit
For consistency in interfaces, introduce a new interface called has_ns_capabilities_noaudit. It checks if the given task has the given capability in the given namespace. Use this new function by has_capabilities_noaudit. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
This commit is contained in:
Eric Paris
Родитель
25e7570341
Коммит
7b61d64849
|
|
@ -543,6 +543,8 @@ extern bool has_capability(struct task_struct *t, int cap);
|
|||
extern bool has_ns_capability(struct task_struct *t,
|
||||
struct user_namespace *ns, int cap);
|
||||
extern bool has_capability_noaudit(struct task_struct *t, int cap);
|
||||
extern bool has_ns_capability_noaudit(struct task_struct *t,
|
||||
struct user_namespace *ns, int cap);
|
||||
extern bool capable(int cap);
|
||||
extern bool ns_capable(struct user_namespace *ns, int cap);
|
||||
extern bool task_ns_capable(struct task_struct *t, int cap);
|
||||
|
|
|
|||
|
|
@ -325,7 +325,33 @@ bool has_capability(struct task_struct *t, int cap)
|
|||
}
|
||||
|
||||
/**
|
||||
* has_capability_noaudit - Does a task have a capability (unaudited)
|
||||
* has_ns_capability_noaudit - Does a task have a capability (unaudited)
|
||||
* in a specific user ns.
|
||||
* @t: The task in question
|
||||
* @ns: target user namespace
|
||||
* @cap: The capability to be tested for
|
||||
*
|
||||
* Return true if the specified task has the given superior capability
|
||||
* currently in effect to the specified user namespace, false if not.
|
||||
* Do not write an audit message for the check.
|
||||
*
|
||||
* Note that this does not set PF_SUPERPRIV on the task.
|
||||
*/
|
||||
bool has_ns_capability_noaudit(struct task_struct *t,
|
||||
struct user_namespace *ns, int cap)
|
||||
{
|
||||
int ret;
|
||||
|
||||
rcu_read_lock();
|
||||
ret = security_capable_noaudit(__task_cred(t), ns, cap);
|
||||
rcu_read_unlock();
|
||||
|
||||
return (ret == 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* has_capability_noaudit - Does a task have a capability (unaudited) in the
|
||||
* initial user ns
|
||||
* @t: The task in question
|
||||
* @cap: The capability to be tested for
|
||||
*
|
||||
|
|
@ -337,13 +363,7 @@ bool has_capability(struct task_struct *t, int cap)
|
|||
*/
|
||||
bool has_capability_noaudit(struct task_struct *t, int cap)
|
||||
{
|
||||
int ret;
|
||||
|
||||
rcu_read_lock();
|
||||
ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap);
|
||||
rcu_read_unlock();
|
||||
|
||||
return (ret == 0);
|
||||
return has_ns_capability_noaudit(t, &init_user_ns, cap);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче