Root/
1 | /* |
2 | * This is <linux/capability.h> |
3 | * |
4 | * Andrew G. Morgan <morgan@kernel.org> |
5 | * Alexander Kjeldaas <astor@guardian.no> |
6 | * with help from Aleph1, Roland Buresund and Andrew Main. |
7 | * |
8 | * See here for the libcap library ("POSIX draft" compliance): |
9 | * |
10 | * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ |
11 | */ |
12 | |
13 | #ifndef _LINUX_CAPABILITY_H |
14 | #define _LINUX_CAPABILITY_H |
15 | |
16 | #include <linux/types.h> |
17 | |
18 | struct task_struct; |
19 | |
20 | /* User-level do most of the mapping between kernel and user |
21 | capabilities based on the version tag given by the kernel. The |
22 | kernel might be somewhat backwards compatible, but don't bet on |
23 | it. */ |
24 | |
25 | /* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to |
26 | a set of three capability sets. The transposition of 3*the |
27 | following structure to such a composite is better handled in a user |
28 | library since the draft standard requires the use of malloc/free |
29 | etc.. */ |
30 | |
31 | #define _LINUX_CAPABILITY_VERSION_1 0x19980330 |
32 | #define _LINUX_CAPABILITY_U32S_1 1 |
33 | |
34 | #define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */ |
35 | #define _LINUX_CAPABILITY_U32S_2 2 |
36 | |
37 | #define _LINUX_CAPABILITY_VERSION_3 0x20080522 |
38 | #define _LINUX_CAPABILITY_U32S_3 2 |
39 | |
40 | typedef struct __user_cap_header_struct { |
41 | __u32 version; |
42 | int pid; |
43 | } __user *cap_user_header_t; |
44 | |
45 | typedef struct __user_cap_data_struct { |
46 | __u32 effective; |
47 | __u32 permitted; |
48 | __u32 inheritable; |
49 | } __user *cap_user_data_t; |
50 | |
51 | |
52 | #define XATTR_CAPS_SUFFIX "capability" |
53 | #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX |
54 | |
55 | #define VFS_CAP_REVISION_MASK 0xFF000000 |
56 | #define VFS_CAP_REVISION_SHIFT 24 |
57 | #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK |
58 | #define VFS_CAP_FLAGS_EFFECTIVE 0x000001 |
59 | |
60 | #define VFS_CAP_REVISION_1 0x01000000 |
61 | #define VFS_CAP_U32_1 1 |
62 | #define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) |
63 | |
64 | #define VFS_CAP_REVISION_2 0x02000000 |
65 | #define VFS_CAP_U32_2 2 |
66 | #define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) |
67 | |
68 | #define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 |
69 | #define VFS_CAP_U32 VFS_CAP_U32_2 |
70 | #define VFS_CAP_REVISION VFS_CAP_REVISION_2 |
71 | |
72 | struct vfs_cap_data { |
73 | __le32 magic_etc; /* Little endian */ |
74 | struct { |
75 | __le32 permitted; /* Little endian */ |
76 | __le32 inheritable; /* Little endian */ |
77 | } data[VFS_CAP_U32]; |
78 | }; |
79 | |
80 | #ifndef __KERNEL__ |
81 | |
82 | /* |
83 | * Backwardly compatible definition for source code - trapped in a |
84 | * 32-bit world. If you find you need this, please consider using |
85 | * libcap to untrap yourself... |
86 | */ |
87 | #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 |
88 | #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 |
89 | |
90 | #else |
91 | |
92 | #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 |
93 | #define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 |
94 | |
95 | extern int file_caps_enabled; |
96 | |
97 | typedef struct kernel_cap_struct { |
98 | __u32 cap[_KERNEL_CAPABILITY_U32S]; |
99 | } kernel_cap_t; |
100 | |
101 | /* exact same as vfs_cap_data but in cpu endian and always filled completely */ |
102 | struct cpu_vfs_cap_data { |
103 | __u32 magic_etc; |
104 | kernel_cap_t permitted; |
105 | kernel_cap_t inheritable; |
106 | }; |
107 | |
108 | #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) |
109 | #define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) |
110 | |
111 | #endif |
112 | |
113 | |
114 | /** |
115 | ** POSIX-draft defined capabilities. |
116 | **/ |
117 | |
118 | /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this |
119 | overrides the restriction of changing file ownership and group |
120 | ownership. */ |
121 | |
122 | #define CAP_CHOWN 0 |
123 | |
124 | /* Override all DAC access, including ACL execute access if |
125 | [_POSIX_ACL] is defined. Excluding DAC access covered by |
126 | CAP_LINUX_IMMUTABLE. */ |
127 | |
128 | #define CAP_DAC_OVERRIDE 1 |
129 | |
130 | /* Overrides all DAC restrictions regarding read and search on files |
131 | and directories, including ACL restrictions if [_POSIX_ACL] is |
132 | defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ |
133 | |
134 | #define CAP_DAC_READ_SEARCH 2 |
135 | |
136 | /* Overrides all restrictions about allowed operations on files, where |
137 | file owner ID must be equal to the user ID, except where CAP_FSETID |
138 | is applicable. It doesn't override MAC and DAC restrictions. */ |
139 | |
140 | #define CAP_FOWNER 3 |
141 | |
142 | /* Overrides the following restrictions that the effective user ID |
143 | shall match the file owner ID when setting the S_ISUID and S_ISGID |
144 | bits on that file; that the effective group ID (or one of the |
145 | supplementary group IDs) shall match the file owner ID when setting |
146 | the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are |
147 | cleared on successful return from chown(2) (not implemented). */ |
148 | |
149 | #define CAP_FSETID 4 |
150 | |
151 | /* Overrides the restriction that the real or effective user ID of a |
152 | process sending a signal must match the real or effective user ID |
153 | of the process receiving the signal. */ |
154 | |
155 | #define CAP_KILL 5 |
156 | |
157 | /* Allows setgid(2) manipulation */ |
158 | /* Allows setgroups(2) */ |
159 | /* Allows forged gids on socket credentials passing. */ |
160 | |
161 | #define CAP_SETGID 6 |
162 | |
163 | /* Allows set*uid(2) manipulation (including fsuid). */ |
164 | /* Allows forged pids on socket credentials passing. */ |
165 | |
166 | #define CAP_SETUID 7 |
167 | |
168 | |
169 | /** |
170 | ** Linux-specific capabilities |
171 | **/ |
172 | |
173 | /* Without VFS support for capabilities: |
174 | * Transfer any capability in your permitted set to any pid, |
175 | * remove any capability in your permitted set from any pid |
176 | * With VFS support for capabilities (neither of above, but) |
177 | * Add any capability from current's capability bounding set |
178 | * to the current process' inheritable set |
179 | * Allow taking bits out of capability bounding set |
180 | * Allow modification of the securebits for a process |
181 | */ |
182 | |
183 | #define CAP_SETPCAP 8 |
184 | |
185 | /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ |
186 | |
187 | #define CAP_LINUX_IMMUTABLE 9 |
188 | |
189 | /* Allows binding to TCP/UDP sockets below 1024 */ |
190 | /* Allows binding to ATM VCIs below 32 */ |
191 | |
192 | #define CAP_NET_BIND_SERVICE 10 |
193 | |
194 | /* Allow broadcasting, listen to multicast */ |
195 | |
196 | #define CAP_NET_BROADCAST 11 |
197 | |
198 | /* Allow interface configuration */ |
199 | /* Allow administration of IP firewall, masquerading and accounting */ |
200 | /* Allow setting debug option on sockets */ |
201 | /* Allow modification of routing tables */ |
202 | /* Allow setting arbitrary process / process group ownership on |
203 | sockets */ |
204 | /* Allow binding to any address for transparent proxying */ |
205 | /* Allow setting TOS (type of service) */ |
206 | /* Allow setting promiscuous mode */ |
207 | /* Allow clearing driver statistics */ |
208 | /* Allow multicasting */ |
209 | /* Allow read/write of device-specific registers */ |
210 | /* Allow activation of ATM control sockets */ |
211 | |
212 | #define CAP_NET_ADMIN 12 |
213 | |
214 | /* Allow use of RAW sockets */ |
215 | /* Allow use of PACKET sockets */ |
216 | |
217 | #define CAP_NET_RAW 13 |
218 | |
219 | /* Allow locking of shared memory segments */ |
220 | /* Allow mlock and mlockall (which doesn't really have anything to do |
221 | with IPC) */ |
222 | |
223 | #define CAP_IPC_LOCK 14 |
224 | |
225 | /* Override IPC ownership checks */ |
226 | |
227 | #define CAP_IPC_OWNER 15 |
228 | |
229 | /* Insert and remove kernel modules - modify kernel without limit */ |
230 | #define CAP_SYS_MODULE 16 |
231 | |
232 | /* Allow ioperm/iopl access */ |
233 | /* Allow sending USB messages to any device via /proc/bus/usb */ |
234 | |
235 | #define CAP_SYS_RAWIO 17 |
236 | |
237 | /* Allow use of chroot() */ |
238 | |
239 | #define CAP_SYS_CHROOT 18 |
240 | |
241 | /* Allow ptrace() of any process */ |
242 | |
243 | #define CAP_SYS_PTRACE 19 |
244 | |
245 | /* Allow configuration of process accounting */ |
246 | |
247 | #define CAP_SYS_PACCT 20 |
248 | |
249 | /* Allow configuration of the secure attention key */ |
250 | /* Allow administration of the random device */ |
251 | /* Allow examination and configuration of disk quotas */ |
252 | /* Allow configuring the kernel's syslog (printk behaviour) */ |
253 | /* Allow setting the domainname */ |
254 | /* Allow setting the hostname */ |
255 | /* Allow calling bdflush() */ |
256 | /* Allow mount() and umount(), setting up new smb connection */ |
257 | /* Allow some autofs root ioctls */ |
258 | /* Allow nfsservctl */ |
259 | /* Allow VM86_REQUEST_IRQ */ |
260 | /* Allow to read/write pci config on alpha */ |
261 | /* Allow irix_prctl on mips (setstacksize) */ |
262 | /* Allow flushing all cache on m68k (sys_cacheflush) */ |
263 | /* Allow removing semaphores */ |
264 | /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores |
265 | and shared memory */ |
266 | /* Allow locking/unlocking of shared memory segment */ |
267 | /* Allow turning swap on/off */ |
268 | /* Allow forged pids on socket credentials passing */ |
269 | /* Allow setting readahead and flushing buffers on block devices */ |
270 | /* Allow setting geometry in floppy driver */ |
271 | /* Allow turning DMA on/off in xd driver */ |
272 | /* Allow administration of md devices (mostly the above, but some |
273 | extra ioctls) */ |
274 | /* Allow tuning the ide driver */ |
275 | /* Allow access to the nvram device */ |
276 | /* Allow administration of apm_bios, serial and bttv (TV) device */ |
277 | /* Allow manufacturer commands in isdn CAPI support driver */ |
278 | /* Allow reading non-standardized portions of pci configuration space */ |
279 | /* Allow DDI debug ioctl on sbpcd driver */ |
280 | /* Allow setting up serial ports */ |
281 | /* Allow sending raw qic-117 commands */ |
282 | /* Allow enabling/disabling tagged queuing on SCSI controllers and sending |
283 | arbitrary SCSI commands */ |
284 | /* Allow setting encryption key on loopback filesystem */ |
285 | /* Allow setting zone reclaim policy */ |
286 | |
287 | #define CAP_SYS_ADMIN 21 |
288 | |
289 | /* Allow use of reboot() */ |
290 | |
291 | #define CAP_SYS_BOOT 22 |
292 | |
293 | /* Allow raising priority and setting priority on other (different |
294 | UID) processes */ |
295 | /* Allow use of FIFO and round-robin (realtime) scheduling on own |
296 | processes and setting the scheduling algorithm used by another |
297 | process. */ |
298 | /* Allow setting cpu affinity on other processes */ |
299 | |
300 | #define CAP_SYS_NICE 23 |
301 | |
302 | /* Override resource limits. Set resource limits. */ |
303 | /* Override quota limits. */ |
304 | /* Override reserved space on ext2 filesystem */ |
305 | /* Modify data journaling mode on ext3 filesystem (uses journaling |
306 | resources) */ |
307 | /* NOTE: ext2 honors fsuid when checking for resource overrides, so |
308 | you can override using fsuid too */ |
309 | /* Override size restrictions on IPC message queues */ |
310 | /* Allow more than 64hz interrupts from the real-time clock */ |
311 | /* Override max number of consoles on console allocation */ |
312 | /* Override max number of keymaps */ |
313 | |
314 | #define CAP_SYS_RESOURCE 24 |
315 | |
316 | /* Allow manipulation of system clock */ |
317 | /* Allow irix_stime on mips */ |
318 | /* Allow setting the real-time clock */ |
319 | |
320 | #define CAP_SYS_TIME 25 |
321 | |
322 | /* Allow configuration of tty devices */ |
323 | /* Allow vhangup() of tty */ |
324 | |
325 | #define CAP_SYS_TTY_CONFIG 26 |
326 | |
327 | /* Allow the privileged aspects of mknod() */ |
328 | |
329 | #define CAP_MKNOD 27 |
330 | |
331 | /* Allow taking of leases on files */ |
332 | |
333 | #define CAP_LEASE 28 |
334 | |
335 | #define CAP_AUDIT_WRITE 29 |
336 | |
337 | #define CAP_AUDIT_CONTROL 30 |
338 | |
339 | #define CAP_SETFCAP 31 |
340 | |
341 | /* Override MAC access. |
342 | The base kernel enforces no MAC policy. |
343 | An LSM may enforce a MAC policy, and if it does and it chooses |
344 | to implement capability based overrides of that policy, this is |
345 | the capability it should use to do so. */ |
346 | |
347 | #define CAP_MAC_OVERRIDE 32 |
348 | |
349 | /* Allow MAC configuration or state changes. |
350 | The base kernel requires no MAC configuration. |
351 | An LSM may enforce a MAC policy, and if it does and it chooses |
352 | to implement capability based checks on modifications to that |
353 | policy or the data required to maintain it, this is the |
354 | capability it should use to do so. */ |
355 | |
356 | #define CAP_MAC_ADMIN 33 |
357 | |
358 | #define CAP_LAST_CAP CAP_MAC_ADMIN |
359 | |
360 | #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) |
361 | |
362 | /* |
363 | * Bit location of each capability (used by user-space library and kernel) |
364 | */ |
365 | |
366 | #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ |
367 | #define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ |
368 | |
369 | #ifdef __KERNEL__ |
370 | |
371 | /* |
372 | * Internal kernel functions only |
373 | */ |
374 | |
375 | #define CAP_FOR_EACH_U32(__capi) \ |
376 | for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi) |
377 | |
378 | /* |
379 | * CAP_FS_MASK and CAP_NFSD_MASKS: |
380 | * |
381 | * The fs mask is all the privileges that fsuid==0 historically meant. |
382 | * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. |
383 | * |
384 | * It has never meant setting security.* and trusted.* xattrs. |
385 | * |
386 | * We could also define fsmask as follows: |
387 | * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions |
388 | * 2. The security.* and trusted.* xattrs are fs-related MAC permissions |
389 | */ |
390 | |
391 | # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \ |
392 | | CAP_TO_MASK(CAP_MKNOD) \ |
393 | | CAP_TO_MASK(CAP_DAC_OVERRIDE) \ |
394 | | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \ |
395 | | CAP_TO_MASK(CAP_FOWNER) \ |
396 | | CAP_TO_MASK(CAP_FSETID)) |
397 | |
398 | # define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE)) |
399 | |
400 | #if _KERNEL_CAPABILITY_U32S != 2 |
401 | # error Fix up hand-coded capability macro initializers |
402 | #else /* HAND-CODED capability initializers */ |
403 | |
404 | # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) |
405 | # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) |
406 | # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}) |
407 | # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ |
408 | | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ |
409 | CAP_FS_MASK_B1 } }) |
410 | # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ |
411 | | CAP_TO_MASK(CAP_SYS_RESOURCE), \ |
412 | CAP_FS_MASK_B1 } }) |
413 | |
414 | #endif /* _KERNEL_CAPABILITY_U32S != 2 */ |
415 | |
416 | #define CAP_INIT_INH_SET CAP_EMPTY_SET |
417 | |
418 | # define cap_clear(c) do { (c) = __cap_empty_set; } while (0) |
419 | # define cap_set_full(c) do { (c) = __cap_full_set; } while (0) |
420 | # define cap_set_init_eff(c) do { (c) = __cap_init_eff_set; } while (0) |
421 | |
422 | #define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag)) |
423 | #define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag)) |
424 | #define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag)) |
425 | |
426 | #define CAP_BOP_ALL(c, a, b, OP) \ |
427 | do { \ |
428 | unsigned __capi; \ |
429 | CAP_FOR_EACH_U32(__capi) { \ |
430 | c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \ |
431 | } \ |
432 | } while (0) |
433 | |
434 | #define CAP_UOP_ALL(c, a, OP) \ |
435 | do { \ |
436 | unsigned __capi; \ |
437 | CAP_FOR_EACH_U32(__capi) { \ |
438 | c.cap[__capi] = OP a.cap[__capi]; \ |
439 | } \ |
440 | } while (0) |
441 | |
442 | static inline kernel_cap_t cap_combine(const kernel_cap_t a, |
443 | const kernel_cap_t b) |
444 | { |
445 | kernel_cap_t dest; |
446 | CAP_BOP_ALL(dest, a, b, |); |
447 | return dest; |
448 | } |
449 | |
450 | static inline kernel_cap_t cap_intersect(const kernel_cap_t a, |
451 | const kernel_cap_t b) |
452 | { |
453 | kernel_cap_t dest; |
454 | CAP_BOP_ALL(dest, a, b, &); |
455 | return dest; |
456 | } |
457 | |
458 | static inline kernel_cap_t cap_drop(const kernel_cap_t a, |
459 | const kernel_cap_t drop) |
460 | { |
461 | kernel_cap_t dest; |
462 | CAP_BOP_ALL(dest, a, drop, &~); |
463 | return dest; |
464 | } |
465 | |
466 | static inline kernel_cap_t cap_invert(const kernel_cap_t c) |
467 | { |
468 | kernel_cap_t dest; |
469 | CAP_UOP_ALL(dest, c, ~); |
470 | return dest; |
471 | } |
472 | |
473 | static inline int cap_isclear(const kernel_cap_t a) |
474 | { |
475 | unsigned __capi; |
476 | CAP_FOR_EACH_U32(__capi) { |
477 | if (a.cap[__capi] != 0) |
478 | return 0; |
479 | } |
480 | return 1; |
481 | } |
482 | |
483 | /* |
484 | * Check if "a" is a subset of "set". |
485 | * return 1 if ALL of the capabilities in "a" are also in "set" |
486 | * cap_issubset(0101, 1111) will return 1 |
487 | * return 0 if ANY of the capabilities in "a" are not in "set" |
488 | * cap_issubset(1111, 0101) will return 0 |
489 | */ |
490 | static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set) |
491 | { |
492 | kernel_cap_t dest; |
493 | dest = cap_drop(a, set); |
494 | return cap_isclear(dest); |
495 | } |
496 | |
497 | /* Used to decide between falling back on the old suser() or fsuser(). */ |
498 | |
499 | static inline int cap_is_fs_cap(int cap) |
500 | { |
501 | const kernel_cap_t __cap_fs_set = CAP_FS_SET; |
502 | return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]); |
503 | } |
504 | |
505 | static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) |
506 | { |
507 | const kernel_cap_t __cap_fs_set = CAP_FS_SET; |
508 | return cap_drop(a, __cap_fs_set); |
509 | } |
510 | |
511 | static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a, |
512 | const kernel_cap_t permitted) |
513 | { |
514 | const kernel_cap_t __cap_fs_set = CAP_FS_SET; |
515 | return cap_combine(a, |
516 | cap_intersect(permitted, __cap_fs_set)); |
517 | } |
518 | |
519 | static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a) |
520 | { |
521 | const kernel_cap_t __cap_fs_set = CAP_NFSD_SET; |
522 | return cap_drop(a, __cap_fs_set); |
523 | } |
524 | |
525 | static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, |
526 | const kernel_cap_t permitted) |
527 | { |
528 | const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET; |
529 | return cap_combine(a, |
530 | cap_intersect(permitted, __cap_nfsd_set)); |
531 | } |
532 | |
533 | extern const kernel_cap_t __cap_empty_set; |
534 | extern const kernel_cap_t __cap_full_set; |
535 | extern const kernel_cap_t __cap_init_eff_set; |
536 | |
537 | /** |
538 | * has_capability - Determine if a task has a superior capability available |
539 | * @t: The task in question |
540 | * @cap: The capability to be tested for |
541 | * |
542 | * Return true if the specified task has the given superior capability |
543 | * currently in effect, false if not. |
544 | * |
545 | * Note that this does not set PF_SUPERPRIV on the task. |
546 | */ |
547 | #define has_capability(t, cap) (security_real_capable((t), (cap)) == 0) |
548 | |
549 | /** |
550 | * has_capability_noaudit - Determine if a task has a superior capability available (unaudited) |
551 | * @t: The task in question |
552 | * @cap: The capability to be tested for |
553 | * |
554 | * Return true if the specified task has the given superior capability |
555 | * currently in effect, false if not, but don't write an audit message for the |
556 | * check. |
557 | * |
558 | * Note that this does not set PF_SUPERPRIV on the task. |
559 | */ |
560 | #define has_capability_noaudit(t, cap) \ |
561 | (security_real_capable_noaudit((t), (cap)) == 0) |
562 | |
563 | extern int capable(int cap); |
564 | |
565 | /* audit system wants to get cap info from files as well */ |
566 | struct dentry; |
567 | extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); |
568 | |
569 | #endif /* __KERNEL__ */ |
570 | |
571 | #endif /* !_LINUX_CAPABILITY_H */ |
572 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9