--- linux-2.6.11.11/include/linux/sched.h 2005-03-02 12:38:53 +0100 +++ linux-2.6.11.11-vs2.0-rc3/include/linux/sched.h 2005-06-01 14:34:17 +0200 @@ -922,15 +940,28 @@ static inline int sas_ss_flags(unsigned #ifdef CONFIG_SECURITY /* code is in security.c */ extern int capable(int cap); +extern int vx_capable(int cap, int ccap); #else static inline int capable(int cap) { + if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap)) + return 0; if (cap_raised(current->cap_effective, cap)) { current->flags |= PF_SUPERPRIV; return 1; } return 0; } + +static inline int vx_capable(int cap, int ccap) +{ + if (cap_raised(current->cap_effective, cap) && + vx_ccaps(ccap)) { + current->flags |= PF_SUPERPRIV; + return 1; + } + return 0; +} #endif /* --- linux-2.6.11.11/kernel/sched.c 2005-03-02 12:39:08 +0100 +++ linux-2.6.11.11-vs2.0-rc3/kernel/sched.c 2005-06-01 14:34:17 +0200 @@ -3293,6 +3437,8 @@ asmlinkage long sys_nice(int increment) * and we have a single winner. */ if (increment < 0) { + if (vx_flags(VXF_IGNEG_NICE, 0)) + return 0; if (!capable(CAP_SYS_NICE)) return -EPERM; if (increment < -40) --- linux-2.6.11.11/kernel/sys.c 2005-03-02 12:39:08 +0100 +++ linux-2.6.11.11-vs2.0-rc3/kernel/sys.c 2005-06-01 14:34:17 +0200 @@ -226,7 +228,10 @@ static int set_one_prio(struct task_stru goto out; } if (niceval < task_nice(p) && !capable(CAP_SYS_NICE)) { - error = -EACCES; + if (vx_flags(VXF_IGNEG_NICE, 0)) + error = 0; + else + error = -EACCES; goto out; } no_nice = security_task_setnice(p, niceval); --- linux-2.6.11.11/kernel/sys.c 2005-03-02 12:39:08 +0100 +++ linux-2.6.11.11-vs2.0-rc3/kernel/sys.c 2005-06-01 14:34:17 +0200 @@ -1489,7 +1509,7 @@ asmlinkage long sys_setrlimit(unsigned i return -EINVAL; old_rlim = current->signal->rlim + resource; if ((new_rlim.rlim_max > old_rlim->rlim_max) && - !capable(CAP_SYS_RESOURCE)) + !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT)) return -EPERM; if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN) return -EPERM; --- linux-2.6.11.11/security/commoncap.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.11.11-vs2.0-rc3/security/commoncap.c 2005-06-01 14:34:17 +0200 @@ -142,7 +142,7 @@ void cap_bprm_apply_creds (struct linux_ /* Derived from fs/exec.c:compute_creds. */ kernel_cap_t new_permitted, working; - new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); + new_permitted = cap_intersect (bprm->cap_permitted, vx_current_bcaps()); working = cap_intersect (bprm->cap_inheritable, current->cap_inheritable); new_permitted = cap_combine (new_permitted, working); --- linux-2.6.11.11/security/commoncap.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.11.11-vs2.0-rc3/security/commoncap.c 2005-06-01 14:34:17 +0200 @@ -311,7 +311,8 @@ void cap_task_reparent_to_init (struct t int cap_syslog (int type) { - if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) + if ((type != 3 && type != 10) && + !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG)) return -EPERM; return 0; } --- linux-2.6.11.11/security/security.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.11.11-vs2.0-rc3/security/security.c 2005-06-01 14:34:17 +0200 @@ -185,6 +185,8 @@ int mod_unreg_security(const char *name, */ int capable(int cap) { + if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap)) + return 0; if (security_ops->capable(current, cap)) { /* capability denied */ return 0; --- linux-2.6.11.11/security/security.c 2005-03-02 12:39:12 +0100 +++ linux-2.6.11.11-vs2.0-rc3/security/security.c 2005-06-01 14:34:17 +0200 @@ -195,9 +197,24 @@ int capable(int cap) return 1; } +int vx_capable(int cap, int ccap) +{ + if (security_ops->capable(current, cap)) { + /* capability denied */ + return 0; + } + if (!vx_ccaps(ccap)) + return 0; + + /* capability granted */ + current->flags |= PF_SUPERPRIV; + return 1; +} + EXPORT_SYMBOL_GPL(register_security); EXPORT_SYMBOL_GPL(unregister_security); EXPORT_SYMBOL_GPL(mod_reg_security); EXPORT_SYMBOL_GPL(mod_unreg_security); EXPORT_SYMBOL(capable); +EXPORT_SYMBOL(vx_capable); EXPORT_SYMBOL(security_ops);