--- linux-2.6.12.2/include/linux/sched.h 2005-06-22 02:38:49 +0200 +++ linux-2.6.12.2-vs2.0-rc6.1/include/linux/sched.h 2005-07-02 22:38:30 +0200 @@ -980,15 +999,28 @@ static inline int sas_ss_flags(unsigned #ifdef CONFIG_SECURITY /* code is in security.c */ extern int capable(int cap); +extern int vx_capable(int cap, int ccap); #else static inline int capable(int cap) { + if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap)) + return 0; if (cap_raised(current->cap_effective, cap)) { current->flags |= PF_SUPERPRIV; return 1; } return 0; } + +static inline int vx_capable(int cap, int ccap) +{ + if (cap_raised(current->cap_effective, cap) && + vx_ccaps(ccap)) { + current->flags |= PF_SUPERPRIV; + return 1; + } + return 0; +} #endif /* --- linux-2.6.12.2/kernel/sched.c 2005-06-22 02:38:53 +0200 +++ linux-2.6.12.2-vs2.0-rc6.1/kernel/sched.c 2005-07-02 22:38:30 +0200 @@ -3268,7 +3412,7 @@ asmlinkage long sys_nice(int increment) nice = 19; if (increment < 0 && !can_nice(current, nice)) - return -EPERM; + return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM; retval = security_task_setnice(current, nice); if (retval) --- linux-2.6.12.2/kernel/sys.c 2005-06-22 02:38:53 +0200 +++ linux-2.6.12.2-vs2.0-rc6.1/kernel/sys.c 2005-07-02 22:38:30 +0200 @@ -229,7 +231,10 @@ static int set_one_prio(struct task_stru goto out; } if (niceval < task_nice(p) && !can_nice(p, niceval)) { - error = -EACCES; + if (vx_flags(VXF_IGNEG_NICE, 0)) + error = 0; + else + error = -EACCES; goto out; } no_nice = security_task_setnice(p, niceval); --- linux-2.6.12.2/kernel/sys.c 2005-06-22 02:38:53 +0200 +++ linux-2.6.12.2-vs2.0-rc6.1/kernel/sys.c 2005-07-02 22:38:30 +0200 @@ -1492,7 +1512,7 @@ asmlinkage long sys_setrlimit(unsigned i return -EINVAL; old_rlim = current->signal->rlim + resource; if ((new_rlim.rlim_max > old_rlim->rlim_max) && - !capable(CAP_SYS_RESOURCE)) + !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT)) return -EPERM; if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN) return -EPERM; --- linux-2.6.12.2/security/commoncap.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.12.2-vs2.0-rc6.1/security/commoncap.c 2005-07-02 22:38:30 +0200 @@ -142,7 +142,7 @@ void cap_bprm_apply_creds (struct linux_ /* Derived from fs/exec.c:compute_creds. */ kernel_cap_t new_permitted, working; - new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); + new_permitted = cap_intersect (bprm->cap_permitted, vx_current_bcaps()); working = cap_intersect (bprm->cap_inheritable, current->cap_inheritable); new_permitted = cap_combine (new_permitted, working); --- linux-2.6.12.2/security/commoncap.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.12.2-vs2.0-rc6.1/security/commoncap.c 2005-07-02 22:38:30 +0200 @@ -311,7 +311,8 @@ void cap_task_reparent_to_init (struct t int cap_syslog (int type) { - if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) + if ((type != 3 && type != 10) && + !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG)) return -EPERM; return 0; } --- linux-2.6.12.2/security/security.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.12.2-vs2.0-rc6.1/security/security.c 2005-07-02 22:38:30 +0200 @@ -185,6 +185,8 @@ int mod_unreg_security(const char *name, */ int capable(int cap) { + if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap)) + return 0; if (security_ops->capable(current, cap)) { /* capability denied */ return 0; --- linux-2.6.12.2/security/security.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.12.2-vs2.0-rc6.1/security/security.c 2005-07-02 22:38:30 +0200 @@ -195,9 +197,24 @@ int capable(int cap) return 1; } +int vx_capable(int cap, int ccap) +{ + if (security_ops->capable(current, cap)) { + /* capability denied */ + return 0; + } + if (!vx_ccaps(ccap)) + return 0; + + /* capability granted */ + current->flags |= PF_SUPERPRIV; + return 1; +} + EXPORT_SYMBOL_GPL(register_security); EXPORT_SYMBOL_GPL(unregister_security); EXPORT_SYMBOL_GPL(mod_reg_security); EXPORT_SYMBOL_GPL(mod_unreg_security); EXPORT_SYMBOL(capable); +EXPORT_SYMBOL(vx_capable); EXPORT_SYMBOL(security_ops);