git.openpandora.org / pandora-kernel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
userns: security: make capabilities relative to the user namespace
[pandora-kernel.git] / security / selinux / hooks.c
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6475e1f..c67f863 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -79,6 +79,7 @@
 #include <linux/mutex.h>
 #include <linux/posix-timers.h>
 #include <linux/syslog.h>
+#include <linux/user_namespace.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -1846,11 +1847,11 @@ static int selinux_capset(struct cred *new, const struct cred *old,
  */
 
 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
-                          int cap, int audit)
+                          struct user_namespace *ns, int cap, int audit)
 {
        int rc;
 
-       rc = cap_capable(tsk, cred, cap, audit);
+       rc = cap_capable(tsk, cred, ns, cap, audit);
        if (rc)
                return rc;
 
@@ -1931,7 +1932,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
 
-       rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
+       rc = selinux_capable(current, current_cred(),
+                            &init_user_ns, CAP_SYS_ADMIN,
                             SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2834,7 +2836,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-       error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
+       error = selinux_capable(current, current_cred(),
+                               &init_user_ns, CAP_MAC_ADMIN,
                                SECURITY_CAP_NOAUDIT);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
@@ -2968,7 +2971,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
        case KDSKBENT:
        case KDSKBSENT:
                error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
-                                           SECURITY_CAP_AUDIT);
+                                       SECURITY_CAP_AUDIT);
                break;
 
        /* default case assumes that the command will go
Pandora Kernel Repository