Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security

[~andy/linux] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7cd4c3affac87b236f14fe1b7a570345d7fc38f0..6a3683e28426b132d5890398609710bca7397310 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1415,8 +1415,7 @@ static int current_has_perm(const struct task_struct *tsk,
 #endif
 
 /* Check whether a task is allowed to use a capability. */
-static int task_has_capability(struct task_struct *tsk,
-                              const struct cred *cred,
+static int cred_has_capability(const struct cred *cred,
                               int cap, int audit)
 {
        struct common_audit_data ad;
@@ -1427,7 +1426,7 @@ static int task_has_capability(struct task_struct *tsk,
        int rc;
 
        COMMON_AUDIT_DATA_INIT(&ad, CAP);
-       ad.tsk = tsk;
+       ad.tsk = current;
        ad.u.cap = cap;
 
        switch (CAP_TO_INDEX(cap)) {
@@ -1811,7 +1810,7 @@ static int selinux_ptrace_access_check(struct task_struct *child,
        if (rc)
                return rc;
 
-       if (mode == PTRACE_MODE_READ) {
+       if (mode & PTRACE_MODE_READ) {
                u32 sid = current_sid();
                u32 csid = task_sid(child);
                return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
@@ -1868,16 +1867,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
  */
 
-static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
-                          struct user_namespace *ns, int cap, int audit)
+static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
+                          int cap, int audit)
 {
        int rc;
 
-       rc = cap_capable(tsk, cred, ns, cap, audit);
+       rc = cap_capable(cred, ns, cap, audit);
        if (rc)
                return rc;
 
-       return task_has_capability(tsk, cred, cap, audit);
+       return cred_has_capability(cred, cap, audit);
 }
 
 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
@@ -1954,8 +1953,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
 
-       rc = selinux_capable(current, current_cred(),
-                            &init_user_ns, CAP_SYS_ADMIN,
+       rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
                             SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2859,8 +2857,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-       error = selinux_capable(current, current_cred(),
-                               &init_user_ns, CAP_MAC_ADMIN,
+       error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
                                SECURITY_CAP_NOAUDIT);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
@@ -2993,8 +2990,8 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
 
        case KDSKBENT:
        case KDSKBSENT:
-               error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
-                                       SECURITY_CAP_AUDIT);
+               error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
+                                           SECURITY_CAP_AUDIT);
                break;
 
        /* default case assumes that the command will go
@@ -4718,24 +4715,6 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
        return selinux_nlmsg_perm(sk, skb);
 }
 
-static int selinux_netlink_recv(struct sk_buff *skb, int capability)
-{
-       int err;
-       struct common_audit_data ad;
-       u32 sid;
-
-       err = cap_netlink_recv(skb, capability);
-       if (err)
-               return err;
-
-       COMMON_AUDIT_DATA_INIT(&ad, CAP);
-       ad.u.cap = capability;
-
-       security_task_getsecid(current, &sid);
-       return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
-                           CAP_TO_MASK(capability), &ad);
-}
-
 static int ipc_alloc_security(struct task_struct *task,
                              struct kern_ipc_perm *perm,
                              u16 sclass)
@@ -5464,7 +5443,6 @@ static struct security_operations selinux_ops = {
        .vm_enough_memory =             selinux_vm_enough_memory,
 
        .netlink_send =                 selinux_netlink_send,
-       .netlink_recv =                 selinux_netlink_recv,
 
        .bprm_set_creds =               selinux_bprm_set_creds,
        .bprm_committing_creds =        selinux_bprm_committing_creds,