capabilities: reverse arguments to security_capable

security_capable takes ns, cred, cap.  But the LSM capable() hook takes
cred, ns, cap.  The capability helper functions also take cred, ns, cap.
Rather than flip argument order just to flip it back, leave them alone.
Heck, this should be a little faster since argument will be in the right
place!

Signed-off-by: Eric Paris <eparis@redhat.com>

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 7bcf12adced7249674ec931ea034066fb6ef3d64..a4457ab61342f09dafbccb02b85eace93a32a1b8 100644 (file)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -431,7 +431,7 @@ pci_read_config(struct file *filp, struct kobject *kobj,
        u8 *data = (u8*) buf;
 
        /* Several chips lock up trying to read undefined config space */
-       if (security_capable(&init_user_ns, filp->f_cred, CAP_SYS_ADMIN) == 0) {
+       if (security_capable(filp->f_cred, &init_user_ns, CAP_SYS_ADMIN) == 0) {
                size = dev->cfg_size;
        } else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS) {
                size = 128;

diff --git a/include/linux/security.h b/include/linux/security.h
index 4921163b2752b94ab7f3f1b04ecf0c841a6a26d8..ee969ff40a26bc445776aea4af1b0807d1bb0748 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1666,7 +1666,7 @@ int security_capset(struct cred *new, const struct cred *old,
                    const kernel_cap_t *effective,
                    const kernel_cap_t *inheritable,
                    const kernel_cap_t *permitted);
-int security_capable(struct user_namespace *ns, const struct cred *cred,
+int security_capable(const struct cred *cred, struct user_namespace *ns,
                        int cap);
 int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
                        int cap);
@@ -1863,8 +1863,8 @@ static inline int security_capset(struct cred *new,
        return cap_capset(new, old, effective, inheritable, permitted);
 }
 
-static inline int security_capable(struct user_namespace *ns,
-                                  const struct cred *cred, int cap)
+static inline int security_capable(const struct cred *cred,
+                                  struct user_namespace *ns, int cap)
 {
        return cap_capable(cred, ns, cap, SECURITY_CAP_AUDIT);
 }

diff --git a/kernel/capability.c b/kernel/capability.c
index 283c529f8b1cfd2199e90e238aa3d2a67370c414..d98392719adbf82c9ae129f34fb3ee2241b5c87a 100644 (file)
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -374,7 +374,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
                BUG();
        }
 
-       if (security_capable(ns, current_cred(), cap) == 0) {
+       if (security_capable(current_cred(), ns, cap) == 0) {
                current->flags |= PF_SUPERPRIV;
                return true;
        }

diff --git a/security/security.c b/security/security.c
index 9ae68c64455e7f87c4f3db998077bb9e876d397c..b9e57f4fc44a43b0603544766f90aafe67500702 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -154,7 +154,7 @@ int security_capset(struct cred *new, const struct cred *old,
                                    effective, inheritable, permitted);
 }
 
-int security_capable(struct user_namespace *ns, const struct cred *cred,
+int security_capable(const struct cred *cred, struct user_namespace *ns,
                     int cap)
 {
        return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);