UBUNTU: Ubuntu-4.15.0-96.97

[mirror_ubuntu-bionic-kernel.git] / security / commoncap.c

diff --git a/security/commoncap.c b/security/commoncap.c
index 48620c93d6976eca3a9b1cc3c34cfe21a69c7a39..31d3936a30954a80759549be04e0c06fe90907b1 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -69,7 +69,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
  * kernel's capable() and has_capability() returns 1 for this case.
  */
 int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
-               int cap, int audit)
+               int cap, unsigned int opts)
 {
        struct user_namespace *ns = targ_ns;
 
@@ -223,12 +223,11 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective,
  */
 static inline int cap_inh_is_capped(void)
 {
-
        /* they are so limited unless the current task has the CAP_SETPCAP
         * capability
         */
        if (cap_capable(current_cred(), current_cred()->user_ns,
-                       CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
+                       CAP_SETPCAP, CAP_OPT_NONE) == 0)
                return 0;
        return 1;
 }
@@ -388,7 +387,7 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
        if (strcmp(name, "capability") != 0)
                return -EOPNOTSUPP;
 
-       dentry = d_find_alias(inode);
+       dentry = d_find_any_alias(inode);
        if (!dentry)
                return -EINVAL;
 
@@ -449,6 +448,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
                                magic |= VFS_CAP_FLAGS_EFFECTIVE;
                        memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
                        cap->magic_etc = cpu_to_le32(magic);
+               } else {
+                       size = -ENOMEM;
                }
        }
        kfree(tmpbuf);
@@ -660,7 +661,7 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_f
        if (!file_caps_enabled)
                return 0;
 
-       if (!mnt_may_suid(bprm->file->f_path.mnt))
+       if (path_nosuid(&bprm->file->f_path))
                return 0;
 
        /*
@@ -929,7 +930,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
        if (strcmp(name, XATTR_NAME_CAPS) == 0)
                return 0;
 
-       if (!capable(CAP_SYS_ADMIN))
+       if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
                return -EPERM;
        return 0;
 }
@@ -962,7 +963,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
                return 0;
        }
 
-       if (!capable(CAP_SYS_ADMIN))
+       if (!ns_capable(dentry->d_sb->s_user_ns, CAP_SYS_ADMIN))
                return -EPERM;
        return 0;
 }
@@ -1206,8 +1207,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                    || ((old->securebits & SECURE_ALL_LOCKS & ~arg2))   /*[2]*/
                    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))   /*[3]*/
                    || (cap_capable(current_cred(),
-                                   current_cred()->user_ns, CAP_SETPCAP,
-                                   SECURITY_CAP_AUDIT) != 0)           /*[4]*/
+                                   current_cred()->user_ns,
+                                   CAP_SETPCAP,
+                                   CAP_OPT_NONE) != 0)                 /*[4]*/
                        /*
                         * [1] no changing of bits that are locked
                         * [2] no unlocking of locks
@@ -1302,9 +1304,10 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int cap_sys_admin = 0;
 
-       if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
-                       SECURITY_CAP_NOAUDIT) == 0)
+       if (cap_capable(current_cred(), &init_user_ns,
+                               CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0)
                cap_sys_admin = 1;
+
        return cap_sys_admin;
 }
 
@@ -1323,19 +1326,21 @@ int cap_mmap_addr(unsigned long addr)
 
        if (addr < dac_mmap_min_addr) {
                ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
-                                 SECURITY_CAP_AUDIT);
+                                 CAP_OPT_NONE);
                /* set PF_SUPERPRIV if it turns out we allow the low mmap */
                if (ret == 0)
                        current->flags |= PF_SUPERPRIV;
        }
        return ret;
 }
+EXPORT_SYMBOL_GPL(cap_mmap_addr);
 
 int cap_mmap_file(struct file *file, unsigned long reqprot,
                  unsigned long prot, unsigned long flags)
 {
        return 0;
 }
+EXPORT_SYMBOL_GPL(cap_mmap_file);
 
 #ifdef CONFIG_SECURITY