--- linux-2.6.11.11/include/linux/sched.h 2005-03-02 12:38:53 +0100
+++ linux-2.6.11.11-vs2.0-rc3/include/linux/sched.h 2005-06-01 14:34:17 +0200
@@ -922,15 +940,28 @@ static inline int sas_ss_flags(unsigned
#ifdef CONFIG_SECURITY
/* code is in security.c */
extern int capable(int cap);
+extern int vx_capable(int cap, int ccap);
#else
static inline int capable(int cap)
{
+ if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
+ return 0;
if (cap_raised(current->cap_effective, cap)) {
current->flags |= PF_SUPERPRIV;
return 1;
}
return 0;
}
+
+static inline int vx_capable(int cap, int ccap)
+{
+ if (cap_raised(current->cap_effective, cap) &&
+ vx_ccaps(ccap)) {
+ current->flags |= PF_SUPERPRIV;
+ return 1;
+ }
+ return 0;
+}
#endif
/*
--- linux-2.6.11.11/kernel/sched.c 2005-03-02 12:39:08 +0100
+++ linux-2.6.11.11-vs2.0-rc3/kernel/sched.c 2005-06-01 14:34:17 +0200
@@ -3293,6 +3437,8 @@ asmlinkage long sys_nice(int increment)
* and we have a single winner.
*/
if (increment < 0) {
+ if (vx_flags(VXF_IGNEG_NICE, 0))
+ return 0;
if (!capable(CAP_SYS_NICE))
return -EPERM;
if (increment < -40)
--- linux-2.6.11.11/kernel/sys.c 2005-03-02 12:39:08 +0100
+++ linux-2.6.11.11-vs2.0-rc3/kernel/sys.c 2005-06-01 14:34:17 +0200
@@ -226,7 +228,10 @@ static int set_one_prio(struct task_stru
goto out;
}
if (niceval < task_nice(p) && !capable(CAP_SYS_NICE)) {
- error = -EACCES;
+ if (vx_flags(VXF_IGNEG_NICE, 0))
+ error = 0;
+ else
+ error = -EACCES;
goto out;
}
no_nice = security_task_setnice(p, niceval);
--- linux-2.6.11.11/kernel/sys.c 2005-03-02 12:39:08 +0100
+++ linux-2.6.11.11-vs2.0-rc3/kernel/sys.c 2005-06-01 14:34:17 +0200
@@ -1489,7 +1509,7 @@ asmlinkage long sys_setrlimit(unsigned i
return -EINVAL;
old_rlim = current->signal->rlim + resource;
if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
- !capable(CAP_SYS_RESOURCE))
+ !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT))
return -EPERM;
if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN)
return -EPERM;
--- linux-2.6.11.11/security/commoncap.c 2005-03-02 12:39:12 +0100
+++ linux-2.6.11.11-vs2.0-rc3/security/commoncap.c 2005-06-01 14:34:17 +0200
@@ -142,7 +142,7 @@ void cap_bprm_apply_creds (struct linux_
/* Derived from fs/exec.c:compute_creds. */
kernel_cap_t new_permitted, working;
- new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
+ new_permitted = cap_intersect (bprm->cap_permitted, vx_current_bcaps());
working = cap_intersect (bprm->cap_inheritable,
current->cap_inheritable);
new_permitted = cap_combine (new_permitted, working);
--- linux-2.6.11.11/security/commoncap.c 2005-03-02 12:39:12 +0100
+++ linux-2.6.11.11-vs2.0-rc3/security/commoncap.c 2005-06-01 14:34:17 +0200
@@ -311,7 +311,8 @@ void cap_task_reparent_to_init (struct t
int cap_syslog (int type)
{
- if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
+ if ((type != 3 && type != 10) &&
+ !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG))
return -EPERM;
return 0;
}
--- linux-2.6.11.11/security/security.c 2005-03-02 12:39:12 +0100
+++ linux-2.6.11.11-vs2.0-rc3/security/security.c 2005-06-01 14:34:17 +0200
@@ -185,6 +185,8 @@ int mod_unreg_security(const char *name,
*/
int capable(int cap)
{
+ if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
+ return 0;
if (security_ops->capable(current, cap)) {
/* capability denied */
return 0;
--- linux-2.6.11.11/security/security.c 2005-03-02 12:39:12 +0100
+++ linux-2.6.11.11-vs2.0-rc3/security/security.c 2005-06-01 14:34:17 +0200
@@ -195,9 +197,24 @@ int capable(int cap)
return 1;
}
+int vx_capable(int cap, int ccap)
+{
+ if (security_ops->capable(current, cap)) {
+ /* capability denied */
+ return 0;
+ }
+ if (!vx_ccaps(ccap))
+ return 0;
+
+ /* capability granted */
+ current->flags |= PF_SUPERPRIV;
+ return 1;
+}
+
EXPORT_SYMBOL_GPL(register_security);
EXPORT_SYMBOL_GPL(unregister_security);
EXPORT_SYMBOL_GPL(mod_reg_security);
EXPORT_SYMBOL_GPL(mod_unreg_security);
EXPORT_SYMBOL(capable);
+EXPORT_SYMBOL(vx_capable);
EXPORT_SYMBOL(security_ops);