diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2013-03-19 11:02:25 +0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2014-01-14 07:26:48 +0400 |
commit | ca24a23ebca17d9d0f2afde4ee49cd810bccc8d7 (patch) | |
tree | 9049f1e4911b21c181b3dcb435b5c75c8e18142c | |
parent | fc582aef7dcc27a7120cf232c1e76c569c7b6eab (diff) | |
download | linux-ca24a23ebca17d9d0f2afde4ee49cd810bccc8d7.tar.xz |
audit: Simplify and correct audit_log_capset
- Always report the current process as capset now always only works on
the current process. This prevents reporting 0 or a random pid in
a random pid namespace.
- Don't bother to pass the pid as is available.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
(cherry picked from commit bcc85f0af31af123e32858069eb2ad8f39f90e67)
(cherry picked from commit f911cac4556a7a23e0b3ea850233d13b32328692)
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[eparis: fix build error when audit disabled]
Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r-- | include/linux/audit.h | 10 | ||||
-rw-r--r-- | kernel/auditsc.c | 6 | ||||
-rw-r--r-- | kernel/capability.c | 2 |
3 files changed, 8 insertions, 10 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index a40641954c29..c9a66c6f1307 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -220,7 +220,7 @@ extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, const struct cred *new, const struct cred *old); -extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); +extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) @@ -285,11 +285,11 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, return 0; } -static inline void audit_log_capset(pid_t pid, const struct cred *new, +static inline void audit_log_capset(const struct cred *new, const struct cred *old) { if (unlikely(!audit_dummy_context())) - __audit_log_capset(pid, new, old); + __audit_log_capset(new, old); } static inline void audit_mmap_fd(int fd, int flags) @@ -397,8 +397,8 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, { return 0; } -static inline void audit_log_capset(pid_t pid, const struct cred *new, - const struct cred *old) +static inline void audit_log_capset(const struct cred *new, + const struct cred *old) { } static inline void audit_mmap_fd(int fd, int flags) { } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 90594c9f7552..df1e685809e1 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2321,18 +2321,16 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm, /** * __audit_log_capset - store information about the arguments to the capset syscall - * @pid: target pid of the capset call * @new: the new credentials * @old: the old (current) credentials * * Record the aguments userspace sent to sys_capset for later printing by the * audit system if applicable */ -void __audit_log_capset(pid_t pid, - const struct cred *new, const struct cred *old) +void __audit_log_capset(const struct cred *new, const struct cred *old) { struct audit_context *context = current->audit_context; - context->capset.pid = pid; + context->capset.pid = task_pid_nr(current); context->capset.cap.effective = new->cap_effective; context->capset.cap.inheritable = new->cap_effective; context->capset.cap.permitted = new->cap_permitted; diff --git a/kernel/capability.c b/kernel/capability.c index 4e66bf9275b0..34019c57888d 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -277,7 +277,7 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) if (ret < 0) goto error; - audit_log_capset(pid, new, current_cred()); + audit_log_capset(new, current_cred()); return commit_creds(new); |