security: add cred argument to security_capable()

commit 6037b715d6fab139742c3df8851db4c823081561 upstream.

Expand security_capable() to include cred, so that it can be usable in a
wider range of call sites.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
[wt: needed by next patch only]
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/include/linux/security.h b/include/linux/security.h
index d40d23fa576ad154c9a703e06426b142068a7df1..73ebc3f608f1f148421e3cc25d9296d7a0a0ad3e 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1733,7 +1733,7 @@ int security_capset(struct cred *new, const struct cred *old,
                    const kernel_cap_t *effective,
                    const kernel_cap_t *inheritable,
                    const kernel_cap_t *permitted);
-int security_capable(int cap);
+int security_capable(const struct cred *cred, int cap);
 int security_real_capable(struct task_struct *tsk, int cap);
 int security_real_capable_noaudit(struct task_struct *tsk, int cap);
 int security_acct(struct file *file);
@@ -1938,9 +1938,9 @@ static inline int security_capset(struct cred *new,
        return cap_capset(new, old, effective, inheritable, permitted);
 }
 
-static inline int security_capable(int cap)
+static inline int security_capable(const struct cred *cred, int cap)
 {
-       return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
+       return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT);
 }
 
 static inline int security_real_capable(struct task_struct *tsk, int cap)

diff --git a/kernel/capability.c b/kernel/capability.c
index 8a944f528b97e8e1436b72f93381a7ef60dd420c..771618c63cba5ebe36b31c95e5ebb7104c125d73 100644 (file)
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -305,7 +305,7 @@ int capable(int cap)
                BUG();
        }
 
-       if (security_capable(cap) == 0) {
+       if (security_capable(current_cred(), cap) == 0) {
                current->flags |= PF_SUPERPRIV;
                return 1;
        }

diff --git a/security/security.c b/security/security.c
index c4c673240c1c6761beadc94f3746e99d09c6a703..227b173cd55e42f09223c9600ad7238e8cb12231 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -151,10 +151,9 @@ int security_capset(struct cred *new, const struct cred *old,
                                    effective, inheritable, permitted);
 }
 
-int security_capable(int cap)
+int security_capable(const struct cred *cred, int cap)
 {
-       return security_ops->capable(current, current_cred(), cap,
-                                    SECURITY_CAP_AUDIT);
+       return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT);
 }
 
 int security_real_capable(struct task_struct *tsk, int cap)