[PATCH 2/4] Use of capable_light()

[PATCH 2/4] Use of capable_light()

capable() now behaves like (capable_light() && is_superadm). Since some
operations are allowed by subadmins too, it suffices to use
capable_light().


Signed-off-by: Jan Engelhardt <[email protected]>

diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/arch/alpha/kernel/pci-noop.c linux-2.6.17-rc3+/arch/alpha/kernel/pci-noop.c
--- linux-2.6.17-rc3~/arch/alpha/kernel/pci-noop.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/arch/alpha/kernel/pci-noop.c	2006-04-30 22:05:33.263048000 +0200
@@ -89,7 +89,7 @@ asmlinkage long
 sys_pciconfig_read(unsigned long bus, unsigned long dfn,
 		   unsigned long off, unsigned long len, void *buf)
 {
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable_light(CAP_SYS_ADMIN))
 		return -EPERM;
 	else
 		return -ENODEV;
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/drivers/char/lp.c linux-2.6.17-rc3+/drivers/char/lp.c
--- linux-2.6.17-rc3~/drivers/char/lp.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/drivers/char/lp.c	2006-04-30 22:28:53.433048000 +0200
@@ -633,7 +633,7 @@ static int lp_ioctl(struct inode *inode,
 			if (copy_to_user(argp, &LP_STAT(minor),
 					sizeof(struct lp_stats)))
 				return -EFAULT;
-			if (capable(CAP_SYS_ADMIN))
+			if (capable_light(CAP_SYS_ADMIN))
 				memset(&LP_STAT(minor), 0,
 						sizeof(struct lp_stats));
 			break;
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/drivers/firmware/efivars.c linux-2.6.17-rc3+/drivers/firmware/efivars.c
--- linux-2.6.17-rc3~/drivers/firmware/efivars.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/drivers/firmware/efivars.c	2006-04-30 22:29:38.913048000 +0200
@@ -354,7 +354,7 @@ static ssize_t efivar_attr_show(struct k
 	struct efivar_attribute *efivar_attr = to_efivar_attr(attr);
 	ssize_t ret = -EIO;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable_light(CAP_SYS_ADMIN))
 		return -EACCES;
 
 	if (efivar_attr->show) {
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/drivers/pci/pci-sysfs.c linux-2.6.17-rc3+/drivers/pci/pci-sysfs.c
--- linux-2.6.17-rc3~/drivers/pci/pci-sysfs.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/drivers/pci/pci-sysfs.c	2006-04-30 22:31:33.873048000 +0200
@@ -113,7 +113,7 @@ pci_read_config(struct kobject *kobj, ch
 	u8 *data = (u8*) buf;
 
 	/* Several chips lock up trying to read undefined config space */
-	if (capable(CAP_SYS_ADMIN)) {
+	if (capable_light(CAP_SYS_ADMIN)) {
 		size = dev->cfg_size;
 	} else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS) {
 		size = 128;
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/drivers/pci/proc.c linux-2.6.17-rc3+/drivers/pci/proc.c
--- linux-2.6.17-rc3~/drivers/pci/proc.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/drivers/pci/proc.c	2006-04-30 22:31:42.213048000 +0200
@@ -60,7 +60,7 @@ proc_bus_pci_read(struct file *file, cha
 	 * undefined locations (think of Intel PIIX4 as a typical example).
 	 */
 
-	if (capable(CAP_SYS_ADMIN))
+	if (capable_light(CAP_SYS_ADMIN))
 		size = dev->cfg_size;
 	else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS)
 		size = 128;
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/drivers/pci/syscall.c linux-2.6.17-rc3+/drivers/pci/syscall.c
--- linux-2.6.17-rc3~/drivers/pci/syscall.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/drivers/pci/syscall.c	2006-04-30 22:31:51.863048000 +0200
@@ -27,7 +27,7 @@ sys_pciconfig_read(unsigned long bus, un
 	long err, cfg_ret;
 
 	err = -EPERM;
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable_light(CAP_SYS_ADMIN))
 		goto error;
 
 	err = -ENODEV;
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/fs/quota.c linux-2.6.17-rc3+/fs/quota.c
--- linux-2.6.17-rc3~/fs/quota.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/fs/quota.c	2006-04-30 22:40:03.483048000 +0200
@@ -81,11 +81,11 @@ static int generic_quotactl_valid(struct
 	if (cmd == Q_GETQUOTA) {
 		if (((type == USRQUOTA && current->euid != id) ||
 		     (type == GRPQUOTA && !in_egroup_p(id))) &&
-		    !capable(CAP_SYS_ADMIN))
+		    !capable_light(CAP_SYS_ADMIN))
 			return -EPERM;
 	}
 	else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO)
-		if (!capable(CAP_SYS_ADMIN))
+		if (!capable_light(CAP_SYS_ADMIN))
 			return -EPERM;
 
 	return 0;
@@ -132,10 +132,10 @@ static int xqm_quotactl_valid(struct sup
 	if (cmd == Q_XGETQUOTA) {
 		if (((type == XQM_USRQUOTA && current->euid != id) ||
 		     (type == XQM_GRPQUOTA && !in_egroup_p(id))) &&
-		     !capable(CAP_SYS_ADMIN))
+		     !capable_light(CAP_SYS_ADMIN))
 			return -EPERM;
 	} else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!capable_light(CAP_SYS_ADMIN))
 			return -EPERM;
 	}
 
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/ipc/msg.c linux-2.6.17-rc3+/ipc/msg.c
--- linux-2.6.17-rc3~/ipc/msg.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/ipc/msg.c	2006-04-30 22:52:53.383048000 +0200
@@ -449,7 +449,7 @@ asmlinkage long sys_msgctl (int msqid, i
 	ipcp = &msq->q_perm;
 	err = -EPERM;
 	if (current->euid != ipcp->cuid && 
-	    current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN))
+	    current->euid != ipcp->uid && !capable_light(CAP_SYS_ADMIN))
 	    /* We _could_ check for CAP_CHOWN above, but we don't */
 		goto out_unlock_up;
 
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/ipc/sem.c linux-2.6.17-rc3+/ipc/sem.c
--- linux-2.6.17-rc3~/ipc/sem.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/ipc/sem.c	2006-04-30 22:54:15.703048000 +0200
@@ -821,7 +821,7 @@ static int semctl_down(int semid, int se
 	}	
 	ipcp = &sma->sem_perm;
 	if (current->euid != ipcp->cuid && 
-	    current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN)) {
+	    current->euid != ipcp->uid && !capable_light(CAP_SYS_ADMIN)) {
 	    	err=-EPERM;
 		goto out_unlock;
 	}
diff --fast -Ndpru -X dontdiff linux-2.6.17-rc3~/ipc/shm.c linux-2.6.17-rc3+/ipc/shm.c
--- linux-2.6.17-rc3~/ipc/shm.c	2006-04-27 04:19:25.000000000 +0200
+++ linux-2.6.17-rc3+/ipc/shm.c	2006-04-30 22:55:10.413048000 +0200
@@ -596,7 +596,7 @@ asmlinkage long sys_shmctl (int shmid, i
 
 		if (current->euid != shp->shm_perm.uid &&
 		    current->euid != shp->shm_perm.cuid && 
-		    !capable(CAP_SYS_ADMIN)) {
+		    !capable_light(CAP_SYS_ADMIN)) {
 			err=-EPERM;
 			goto out_unlock_up;
 		}
@@ -636,7 +636,7 @@ asmlinkage long sys_shmctl (int shmid, i
 		err=-EPERM;
 		if (current->euid != shp->shm_perm.uid &&
 		    current->euid != shp->shm_perm.cuid && 
-		    !capable(CAP_SYS_ADMIN)) {
+		    !capable_light(CAP_SYS_ADMIN)) {
 			goto out_unlock_up;
 		}
 
#<<eof>>


Jan Engelhardt
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Christoph Hellwig <[email protected]>
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Stephen Smalley <[email protected]>
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Christoph Hellwig <[email protected]>
  • Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: James Morris <[email protected]>
  • Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: Greg KH <[email protected]>
  • Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: Jan Engelhardt <[email protected]>
  • Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: Arjan van de Ven <[email protected]>
  • Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: Jan Engelhardt <[email protected]>
  • Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: Greg KH <[email protected]>
  • Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: Jan Engelhardt <[email protected]>
  • Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
    • From: Greg KH <[email protected]>
  • [PATCH 0/4] MultiAdmin LSM
    • From: Jan Engelhardt <[email protected]>

• Prev by Date: [PATCH 1/4] security_cap_extra() and more
• Next by Date: [PATCH 3/4] task_post_setgid()
• Previous by thread: [PATCH 1/4] security_cap_extra() and more
• Next by thread: [PATCH 3/4] task_post_setgid()
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]