Re: [PATCH 1/2] security: add cred argument to security_capable()

From: Casey Schaufler
Date: Thu Feb 10 2011 - 11:01:25 EST

Next message: Thomas Fjellstrom: "Re: Wake On lan and ATL1 nic"
Previous message: Alan Stern: "Re: [Xen-devel] Re: [linux-pm] [PATCH 0/2] Fix hangup after creatingcheckpoint on Xen."
In reply to: Serge E. Hallyn: "Re: [PATCH 1/2] security: add cred argument to security_capable()"
Next in thread: Chris Wright: "Re: [PATCH 1/2] security: add cred argument to security_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/9/2011 10:11 PM, Chris Wright wrote:
> Expand security_capable() to include cred, so that it can be usable in a
> wider range of call sites.

I'll bite. What to plan to use this for? I wouldn't see this getting
accepted on its own without a user. I don't see anything wrong with
the change other than that it is not used by anything.

> Cc: James Morris <jmorris@xxxxxxxxx>
> Cc: Eric Paris <eparis@xxxxxxxxxx>
> Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
> Cc: linux-security-module@xxxxxxxxxxxxxxx
> Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
> ---
>
> include/linux/security.h | 6 +++---
> kernel/capability.c | 2 +-
> security/security.c | 5 ++---
> 3 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index c642bb8..b2b7f97 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1662,7 +1662,7 @@ int security_capset(struct cred *new, const struct cred *old,
> const kernel_cap_t *effective,
> const kernel_cap_t *inheritable,
> const kernel_cap_t *permitted);
> -int security_capable(int cap);
> +int security_capable(const struct cred *cred, int cap);
> int security_real_capable(struct task_struct *tsk, int cap);
> int security_real_capable_noaudit(struct task_struct *tsk, int cap);
> int security_sysctl(struct ctl_table *table, int op);
> @@ -1856,9 +1856,9 @@ static inline int security_capset(struct cred *new,
> return cap_capset(new, old, effective, inheritable, permitted);
> }
>
> -static inline int security_capable(int cap)
> +static inline int security_capable(const struct cred *cred, int cap)
> {
> - return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
> + return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT);
> }
>
> static inline int security_real_capable(struct task_struct *tsk, int cap)
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 2f05303..9e9385f 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -306,7 +306,7 @@ int capable(int cap)
> BUG();
> }
>
> - if (security_capable(cap) == 0) {
> + if (security_capable(current_cred(), cap) == 0) {
> current->flags |= PF_SUPERPRIV;
> return 1;
> }
> diff --git a/security/security.c b/security/security.c
> index 739e403..7b7308a 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -154,10 +154,9 @@ int security_capset(struct cred *new, const struct cred *old,
> effective, inheritable, permitted);
> }
>
> -int security_capable(int cap)
> +int security_capable(const struct cred *cred, int cap)
> {
> - return security_ops->capable(current, current_cred(), cap,
> - SECURITY_CAP_AUDIT);
> + return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT);
> }
>
> int security_real_capable(struct task_struct *tsk, int cap)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Fjellstrom: "Re: Wake On lan and ATL1 nic"
Previous message: Alan Stern: "Re: [Xen-devel] Re: [linux-pm] [PATCH 0/2] Fix hangup after creatingcheckpoint on Xen."
In reply to: Serge E. Hallyn: "Re: [PATCH 1/2] security: add cred argument to security_capable()"
Next in thread: Chris Wright: "Re: [PATCH 1/2] security: add cred argument to security_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]