Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752299AbbGXL1w (ORCPT ); Fri, 24 Jul 2015 07:27:52 -0400 Received: from mailout3.samsung.com ([203.254.224.33]:45622 "EHLO mailout3.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750740AbbGXL1q (ORCPT ); Fri, 24 Jul 2015 07:27:46 -0400 X-AuditID: cbfee68e-f79c56d000006efb-8b-55b2212f7551 From: Sungbae Yoo To: Casey Schaufler Cc: James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Sungbae Yoo Subject: [PATCH] Smack: replace capable() with ns_capable() Date: Fri, 24 Jul 2015 20:26:14 +0900 Message-id: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRmVeSWpSXmKPExsWyRsSkRFdfcVOowZTFChb3tv1is+h7HGRx edccNosPPY/YLM5fOMdu8bD5J6MDm8e13ZEeH5/eYvHo27KK0ePo/kVsHp83yQWwRnHZpKTm ZJalFunbJXBlPLu1j6ngHkfFk4vPmBoY57F3MXJySAiYSCx+eYUZwhaTuHBvPRuILSSwlFFi 0w5XmJpzMz+wdDFyAcWnM0r8XT+FHcL5wSgx/cQUsG42AW2JbbuOgHWLCOhI7NvzHKyIWeAQ o0Tr3NUsIAlhAWuJ52t/gBWxCKhKTJ68h6mLkYODV8Bd4v8mbohtchInj01mBemVEPjOJtF1 YQErRL2AxLfJh1hA6iUEZCU2HYC6WlLi4IobLBMYBRcwMqxiFE0tSC4oTkovMtIrTswtLs1L 10vOz93ECAzU0/+e9e1gvHnA+hCjAAejEg9vxoSNoUKsiWXFlbmHGE2BNkxklhJNzgfGQ15J vKGxmZGFqYmpsZG5pZmSOG+C1M9gIYH0xJLU7NTUgtSi+KLSnNTiQ4xMHJxSDYzN9hMS9yiG FXO8FZWco9T6/86vs0mObQU8c8OCZpyv/Hxwd/ZEA2WxzETTYw3tjd/+7pqtzC7lxFQvzdLx lt+0UvqC0Pbvlttb50+r+n1hU9y5aKN83pj57NnLszeIctone70WsedZuspg1vc8VeZzcx4e C+Y94Bq8b3pCmVBD0e/dsXaL7yqxFGckGmoxFxUnAgBsbussTwIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnkeLIzCtJLcpLzFFi42I5/e+xoK6+4qZQg+WrJS3ubfvFZtH3OMji 8q45bBYfeh6xWZy/cI7d4mHzT0YHNo9ruyM9Pj69xeLRt2UVo8fR/YvYPD5vkgtgjWpgtMlI TUxJLVJIzUvOT8nMS7dV8g6Od443NTMw1DW0tDBXUshLzE21VXLxCdB1y8wBOkBJoSwxpxQo FJBYXKykb4dpQmiIm64FTGOErm9IEFyPkQEaSFjDmPHs1j6mgnscFU8uPmNqYJzH3sXIySEh YCJxbuYHFghbTOLCvfVsXYxcHEIC0xkl/q6fwg7h/GCUmH5iCjNIFZuAtsS2XUfYQGwRAR2J fXuegxUxCxxilGiduxpslLCAtcTztT/AilgEVCUmT97D1MXIwcEr4C7xfxM3xDY5iZPHJrNO YORewMiwilE0tSC5oDgpPddIrzgxt7g0L10vOT93EyM4Ep5J72Bc1WBxiFGAg1GJhzdjwsZQ IdbEsuLKXKClHMxKIrwMx4BCvCmJlVWpRfnxRaU5qcWHGE2Blk9klhJNzgdGaV5JvKGxiZmR pZG5oYWRsbmSOO/JfJ9QIYH0xJLU7NTUgtQimD4mDk6pBsYlm1eGHhM/IRHOarB79va5TyNj V72KEbtYm3PdqmvNmxTBGLmGQ1xvEv4fO3TrjroE08KvLZdOxO/1swsoqPsl2Ra6VtH5yY5O PdFVJysfyS/epPm84YxftymDOe+9uNQdxzlevjwjuG9jZrcdGxdvKqNbzJ2fu/+15XVP3pSj 8UIvtv7Vc34lluKMREMt5qLiRADCLrl6mgIAAA== DLP-Filter: Pass X-MTR: 20000000000000000@CPGS X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1328 Lines: 40 If current task has capabilities, Smack operations (eg. Changing own smack label) should be available even inside of namespace. Signed-off-by: Sungbae Yoo diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -639,7 +639,7 @@ int smack_privileged(int cap) struct smack_known *skp = smk_of_current(); struct smack_onlycap *sop; - if (!capable(cap)) + if (!ns_capable(current_user_ns(), cap)) return 0; rcu_read_lock(); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a143328..7fdc3dd 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, rc = 0; else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) rc = -EACCES; - else if (capable(CAP_SYS_PTRACE)) + else if (ns_capable(__task_cred(tracer)->user_ns, + CAP_SYS_PTRACE)) rc = 0; else rc = -EACCES; -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/