summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorTyler Hicks <tyhicks@canonical.com>2016-06-02 23:43:21 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2016-09-15 08:20:25 +0200
commit6bc11f071a775df8d8240a2599b024d8f1bf8e76 (patch)
tree5d045741c019ddfaaa20649faa200540be803f45 /include
parenta913c940039ce803939bb81f3c3be3aab0d43b5c (diff)
downloadlinux-stable-6bc11f071a775df8d8240a2599b024d8f1bf8e76.tar.gz
linux-stable-6bc11f071a775df8d8240a2599b024d8f1bf8e76.tar.bz2
linux-stable-6bc11f071a775df8d8240a2599b024d8f1bf8e76.zip
kernel: Add noaudit variant of ns_capable()
commit 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 upstream. When checking the current cred for a capability in a specific user namespace, it isn't always desirable to have the LSMs audit the check. This patch adds a noaudit variant of ns_capable() for when those situations arise. The common logic between ns_capable() and the new ns_capable_noaudit() is moved into a single, shared function to keep duplicated code to a minimum and ease maintainability. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/capability.h5
1 files changed, 5 insertions, 0 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 00690ff92edf..5f3c63dde2d5 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -206,6 +206,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t,
struct user_namespace *ns, int cap);
extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
+extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
#else
static inline bool has_capability(struct task_struct *t, int cap)
{
@@ -233,6 +234,10 @@ static inline bool ns_capable(struct user_namespace *ns, int cap)
{
return true;
}
+static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
+{
+ return true;
+}
#endif /* CONFIG_MULTIUSER */
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);