--- zzzz-none-000/linux-2.6.19.2/security/commoncap.c 2007-01-10 19:10:37.000000000 +0000 +++ davinci-8020-5504/linux-2.6.19.2/security/commoncap.c 2007-01-19 14:42:56.000000000 +0000 @@ -23,10 +23,11 @@ #include #include #include +#include int cap_netlink_send(struct sock *sk, struct sk_buff *skb) { - NETLINK_CB(skb).eff_cap = current->cap_effective; + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(); return 0; } @@ -44,7 +45,15 @@ int cap_capable (struct task_struct *tsk, int cap) { /* Derived from include/linux/sched.h:capable. */ - if (cap_raised(tsk->cap_effective, cap)) + if (cap_raised (tsk->cap_effective, cap) && gr_task_is_capable(tsk, cap)) + return 0; + return -EPERM; +} + +int cap_capable_nolog (struct task_struct *tsk, int cap) +{ + /* Derived from include/linux/sched.h:capable. */ + if (cap_raised (tsk->cap_effective, cap)) return 0; return -EPERM; } @@ -163,8 +172,11 @@ } } - current->suid = current->euid = current->fsuid = bprm->e_uid; - current->sgid = current->egid = current->fsgid = bprm->e_gid; + if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid)) + current->suid = current->euid = current->fsuid = bprm->e_uid; + + if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid)) + current->sgid = current->egid = current->fsgid = bprm->e_gid; /* For init, we want to retain the capabilities set * in the init_task struct. Thus we skip the usual @@ -175,6 +187,8 @@ cap_intersect (new_permitted, bprm->cap_effective); } + gr_handle_chroot_caps(current); + /* AUD: Audit candidate if current->cap_effective is set */ current->keep_capabilities = 0; @@ -320,12 +334,13 @@ { int cap_sys_admin = 0; - if (cap_capable(current, CAP_SYS_ADMIN) == 0) + if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0) cap_sys_admin = 1; return __vm_enough_memory(pages, cap_sys_admin); } EXPORT_SYMBOL(cap_capable); +EXPORT_SYMBOL(cap_capable_nolog); EXPORT_SYMBOL(cap_settime); EXPORT_SYMBOL(cap_ptrace); EXPORT_SYMBOL(cap_capget);