diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/fs/namespace.c linux-2.6.16.11-vs2.1.1-rc18.4/fs/namespace.c
--- linux-2.6.16.11-vs2.1.1-rc18.3/fs/namespace.c 2006-04-26 19:07:00 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/fs/namespace.c 2006-04-27 21:27:16 +0200
@@ -676,7 +676,7 @@ asmlinkage long sys_umount(char __user *
goto dput_and_out;
retval = -EPERM;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
goto dput_and_out;
retval = do_umount(nd.mnt, flags);
@@ -700,9 +700,7 @@ asmlinkage long sys_oldumount(char __use
static int mount_is_safe(struct nameidata *nd)
{
- if (capable(CAP_SYS_ADMIN))
- return 0;
- if (vx_ccaps(VXC_SECURE_MOUNT))
+ if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
return 0;
return -EPERM;
#ifdef notyet
@@ -996,7 +994,7 @@ static int do_remount(struct nameidata *
int err;
struct super_block *sb = nd->mnt->mnt_sb;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_REMOUNT))
return -EPERM;
if (!check_mnt(nd->mnt))
@@ -1030,7 +1028,7 @@ static int do_move_mount(struct nameidat
struct nameidata old_nd, parent_nd;
struct vfsmount *p;
int err = 0;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
return -EPERM;
if (!old_name || !*old_name)
return -EINVAL;
@@ -1110,7 +1108,7 @@ static int do_new_mount(struct nameidata
return -EINVAL;
/* we need capabilities... */
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
return -EPERM;
mnt = do_kern_mount(type, flags, name, data);
@@ -1504,7 +1502,7 @@ int copy_namespace(int flags, struct tas
if (!(flags & CLONE_NEWNS))
return 0;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) {
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) {
err = -EPERM;
goto out;
}
diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/fs/quota.c linux-2.6.16.11-vs2.1.1-rc18.4/fs/quota.c
--- linux-2.6.16.11-vs2.1.1-rc18.3/fs/quota.c 2006-04-26 19:07:00 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/fs/quota.c 2006-04-27 21:28:28 +0200
@@ -84,11 +84,11 @@ static int generic_quotactl_valid(struct
if (cmd == Q_GETQUOTA) {
if (((type == USRQUOTA && current->euid != id) ||
(type == GRPQUOTA && !in_egroup_p(id))) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
}
else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO)
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
return 0;
@@ -135,10 +135,10 @@ static int xqm_quotactl_valid(struct dqh
if (cmd == Q_XGETQUOTA) {
if (((type == XQM_USRQUOTA && current->euid != id) ||
(type == XQM_GRPQUOTA && !in_egroup_p(id))) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
} else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) {
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
}
diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/fs/super.c linux-2.6.16.11-vs2.1.1-rc18.4/fs/super.c
--- linux-2.6.16.11-vs2.1.1-rc18.3/fs/super.c 2006-04-26 19:07:00 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/fs/super.c 2006-04-27 21:28:48 +0200
@@ -815,7 +815,7 @@ do_kern_mount(const char *fstype, int fl
sb = ERR_PTR(-EPERM);
if ((type->fs_flags & FS_BINARY_MOUNTDATA) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_BINARY_MOUNT))
+ !vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT))
goto out;
sb = ERR_PTR(-ENOMEM);
diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/fs/xfs/quota/xfs_qm_syscalls.c linux-2.6.16.11-vs2.1.1-rc18.4/fs/xfs/quota/xfs_qm_syscalls.c
--- linux-2.6.16.11-vs2.1.1-rc18.3/fs/xfs/quota/xfs_qm_syscalls.c 2006-04-26 19:07:00 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/fs/xfs/quota/xfs_qm_syscalls.c 2006-04-27 21:30:23 +0200
@@ -215,7 +215,7 @@ xfs_qm_scall_quotaoff(
xfs_qoff_logitem_t *qoffstart;
int nculprits;
- if (!force && !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!force && !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
/*
* No file system can have quotas enabled on disk but not in core.
@@ -384,7 +384,7 @@ xfs_qm_scall_trunc_qfiles(
int error;
xfs_inode_t *qip;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
error = 0;
if (!XFS_SB_VERSION_HASQUOTA(&mp->m_sb) || flags == 0) {
@@ -429,7 +429,7 @@ xfs_qm_scall_quotaon(
uint accflags;
__int64_t sbflags;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
flags &= (XFS_ALL_QUOTA_ACCT | XFS_ALL_QUOTA_ENFD);
@@ -600,7 +600,7 @@ xfs_qm_scall_setqlim(
int error;
xfs_qcnt_t hard, soft;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
if ((newlim->d_fieldmask &
diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/include/linux/vs_base.h linux-2.6.16.11-vs2.1.1-rc18.4/include/linux/vs_base.h
--- linux-2.6.16.11-vs2.1.1-rc18.3/include/linux/vs_base.h 2006-04-27 20:29:01 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/include/linux/vs_base.h 2006-04-27 21:24:37 +0200
@@ -117,6 +117,9 @@ static inline int __vx_check(xid_t cid,
#define vx_cap_raised(v,c,f) (vx_info_mbcap(v,c) & CAP_TO_MASK(f))
+#define vx_capable(b,c) (capable(b) || \
+ (cap_raised(current->cap_effective,b) && vx_ccaps(c)))
+
#define vx_current_initpid(n) \
(current->vx_info && \
diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/kernel/sys.c linux-2.6.16.11-vs2.1.1-rc18.4/kernel/sys.c
--- linux-2.6.16.11-vs2.1.1-rc18.3/kernel/sys.c 2006-04-27 20:29:01 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/kernel/sys.c 2006-04-27 21:31:32 +0200
@@ -1548,7 +1548,7 @@ asmlinkage long sys_sethostname(char __u
int errno;
char tmp[__NEW_UTS_LEN];
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
@@ -1597,7 +1597,7 @@ asmlinkage long sys_setdomainname(char _
int errno;
char tmp[__NEW_UTS_LEN];
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
@@ -1665,7 +1665,7 @@ asmlinkage long sys_setrlimit(unsigned i
return -EINVAL;
old_rlim = current->signal->rlim + resource;
if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
- !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT))
+ !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT))
return -EPERM;
if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN)
return -EPERM;
diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/security/commoncap.c linux-2.6.16.11-vs2.1.1-rc18.4/security/commoncap.c
--- linux-2.6.16.11-vs2.1.1-rc18.3/security/commoncap.c 2006-04-27 20:29:01 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/security/commoncap.c 2006-04-27 21:32:17 +0200
@@ -314,7 +314,7 @@ void cap_task_reparent_to_init (struct t
int cap_syslog (int type)
{
if ((type != 3 && type != 10) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG))
+ !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG))
return -EPERM;
return 0;
}
diff -NurpP --minimal linux-2.6.16.11-vs2.1.1-rc18.3/security/security.c linux-2.6.16.11-vs2.1.1-rc18.4/security/security.c
--- linux-2.6.16.11-vs2.1.1-rc18.3/security/security.c 2006-04-26 19:07:00 +0200
+++ linux-2.6.16.11-vs2.1.1-rc18.4/security/security.c 2006-04-27 21:33:12 +0200
@@ -198,24 +198,10 @@ int capable(int cap)
return 1;
}
-int vx_capable(int cap, int ccap)
-{
- if (security_ops->capable(current, cap)) {
- /* capability denied */
- return 0;
- }
- if (!vx_ccaps(ccap))
- return 0;
-
- /* capability granted */
- current->flags |= PF_SUPERPRIV;
- return 1;
-}
EXPORT_SYMBOL_GPL(register_security);
EXPORT_SYMBOL_GPL(unregister_security);
EXPORT_SYMBOL_GPL(mod_reg_security);
EXPORT_SYMBOL_GPL(mod_unreg_security);
EXPORT_SYMBOL(capable);
-EXPORT_SYMBOL(vx_capable);
EXPORT_SYMBOL(security_ops);