summaryrefslogtreecommitdiff
path: root/security/security.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2008-11-14 02:39:14 +0300
committerJames Morris <jmorris@namei.org>2008-11-14 02:39:14 +0300
commit1cdcbec1a3372c0c49c59d292e708fd07b509f18 (patch)
treed1bd302c8d66862da45b494cbc766fb4caa5e23e /security/security.c
parent8bbf4976b59fc9fc2861e79cab7beb3f6d647640 (diff)
downloadlinux-1cdcbec1a3372c0c49c59d292e708fd07b509f18.tar.xz
CRED: Neuter sys_capset()
Take away the ability for sys_capset() to affect processes other than current. This means that current will not need to lock its own credentials when reading them against interference by other processes. This has effectively been the case for a while anyway, since: (1) Without LSM enabled, sys_capset() is disallowed. (2) With file-based capabilities, sys_capset() is neutered. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/security.c')
-rw-r--r--security/security.c18
1 files changed, 8 insertions, 10 deletions
diff --git a/security/security.c b/security/security.c
index 346f21e0ec2c..dca37381e2a7 100644
--- a/security/security.c
+++ b/security/security.c
@@ -145,20 +145,18 @@ int security_capget(struct task_struct *target,
return security_ops->capget(target, effective, inheritable, permitted);
}
-int security_capset_check(struct task_struct *target,
- kernel_cap_t *effective,
- kernel_cap_t *inheritable,
- kernel_cap_t *permitted)
+int security_capset_check(kernel_cap_t *effective,
+ kernel_cap_t *inheritable,
+ kernel_cap_t *permitted)
{
- return security_ops->capset_check(target, effective, inheritable, permitted);
+ return security_ops->capset_check(effective, inheritable, permitted);
}
-void security_capset_set(struct task_struct *target,
- kernel_cap_t *effective,
- kernel_cap_t *inheritable,
- kernel_cap_t *permitted)
+void security_capset_set(kernel_cap_t *effective,
+ kernel_cap_t *inheritable,
+ kernel_cap_t *permitted)
{
- security_ops->capset_set(target, effective, inheritable, permitted);
+ security_ops->capset_set(effective, inheritable, permitted);
}
int security_capable(struct task_struct *tsk, int cap)