capabilites: introduce new has_ns_capabilities_noaudit
For consistency in interfaces, introduce a new interface called
has_ns_capabilities_noaudit. It checks if the given task has the given
capability in the given namespace. Use this new function by
has_capabilities_noaudit.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
diff --git a/kernel/capability.c b/kernel/capability.c
index fb815d1..d8398e9 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -325,7 +325,33 @@
}
/**
- * has_capability_noaudit - Does a task have a capability (unaudited)
+ * has_ns_capability_noaudit - Does a task have a capability (unaudited)
+ * in a specific user ns.
+ * @t: The task in question
+ * @ns: target user namespace
+ * @cap: The capability to be tested for
+ *
+ * Return true if the specified task has the given superior capability
+ * currently in effect to the specified user namespace, false if not.
+ * Do not write an audit message for the check.
+ *
+ * Note that this does not set PF_SUPERPRIV on the task.
+ */
+bool has_ns_capability_noaudit(struct task_struct *t,
+ struct user_namespace *ns, int cap)
+{
+ int ret;
+
+ rcu_read_lock();
+ ret = security_capable_noaudit(__task_cred(t), ns, cap);
+ rcu_read_unlock();
+
+ return (ret == 0);
+}
+
+/**
+ * has_capability_noaudit - Does a task have a capability (unaudited) in the
+ * initial user ns
* @t: The task in question
* @cap: The capability to be tested for
*
@@ -337,13 +363,7 @@
*/
bool has_capability_noaudit(struct task_struct *t, int cap)
{
- int ret;
-
- rcu_read_lock();
- ret = security_capable_noaudit(__task_cred(t), &init_user_ns, cap);
- rcu_read_unlock();
-
- return (ret == 0);
+ return has_ns_capability_noaudit(t, &init_user_ns, cap);
}
/**