[linux-2.6-block.git] / security / commoncap.c

/* Common capabilities, needed by capability.o and root_plug.o
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License as published by
 *	the Free Software Foundation; either version 2 of the License, or
 *	(at your option) any later version.
 *
 */

#include <linux/capability.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/security.h>
#include <linux/file.h>
#include <linux/mm.h>
#include <linux/mman.h>
#include <linux/pagemap.h>
#include <linux/swap.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
#include <linux/ptrace.h>
#include <linux/xattr.h>
#include <linux/hugetlb.h>
#include <linux/mount.h>
#include <linux/sched.h>
#include <linux/prctl.h>
#include <linux/securebits.h>

int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
{
	NETLINK_CB(skb).eff_cap = current->cap_effective;
	return 0;
}

int cap_netlink_recv(struct sk_buff *skb, int cap)
{
	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
		return -EPERM;
	return 0;
}

EXPORT_SYMBOL(cap_netlink_recv);

/*
 * NOTE WELL: cap_capable() cannot be used like the kernel's capable()
 * function.  That is, it has the reverse semantics: cap_capable()
 * returns 0 when a task has a capability, but the kernel's capable()
 * returns 1 for this case.
 */
int cap_capable (struct task_struct *tsk, int cap)
{
	/* Derived from include/linux/sched.h:capable. */
	if (cap_raised(tsk->cap_effective, cap))
		return 0;
	return -EPERM;
}

int cap_settime(struct timespec *ts, struct timezone *tz)
{
	if (!capable(CAP_SYS_TIME))
		return -EPERM;
	return 0;
}

int cap_ptrace_may_access(struct task_struct *child, unsigned int mode)
{
	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
	if (cap_issubset(child->cap_permitted, current->cap_permitted))
		return 0;
	if (capable(CAP_SYS_PTRACE))
		return 0;
	return -EPERM;
}

int cap_ptrace_traceme(struct task_struct *parent)
{
	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
	if (cap_issubset(current->cap_permitted, parent->cap_permitted))
		return 0;
	if (has_capability(parent, CAP_SYS_PTRACE))
		return 0;
	return -EPERM;
}

int cap_capget (struct task_struct *target, kernel_cap_t *effective,
		kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
	/* Derived from kernel/capability.c:sys_capget. */
	*effective = target->cap_effective;
	*inheritable = target->cap_inheritable;
	*permitted = target->cap_permitted;
	return 0;
}

#ifdef CONFIG_SECURITY_FILE_CAPABILITIES

static inline int cap_block_setpcap(struct task_struct *target)
{
	/*
	 * No support for remote process capability manipulation with
	 * filesystem capability support.
	 */
	return (target != current);
}

static inline int cap_inh_is_capped(void)
{
	/*
	 * Return 1 if changes to the inheritable set are limited
	 * to the old permitted set. That is, if the current task
	 * does *not* possess the CAP_SETPCAP capability.
	 */
	return (cap_capable(current, CAP_SETPCAP) != 0);
}

static inline int cap_limit_ptraced_target(void) { return 1; }

#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */

static inline int cap_block_setpcap(struct task_struct *t) { return 0; }
static inline int cap_inh_is_capped(void) { return 1; }
static inline int cap_limit_ptraced_target(void)
{
	return !capable(CAP_SETPCAP);
}

#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */

int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
		      kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
	if (cap_block_setpcap(target)) {
		return -EPERM;
	}
	if (cap_inh_is_capped()
	    && !cap_issubset(*inheritable,
			     cap_combine(target->cap_inheritable,
					 current->cap_permitted))) {
		/* incapable of using this inheritable set */
		return -EPERM;
	}
	if (!cap_issubset(*inheritable,
			   cap_combine(target->cap_inheritable,
				       current->cap_bset))) {
		/* no new pI capabilities outside bounding set */
		return -EPERM;
	}

	/* verify restrictions on target's new Permitted set */
	if (!cap_issubset (*permitted,
			   cap_combine (target->cap_permitted,
					current->cap_permitted))) {
		return -EPERM;
	}

	/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
	if (!cap_issubset (*effective, *permitted)) {
		return -EPERM;
	}

	return 0;
}

void cap_capset_set (struct task_struct *target, kernel_cap_t *effective,
		     kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
	target->cap_effective = *effective;
	target->cap_inheritable = *inheritable;
	target->cap_permitted = *permitted;
}

static inline void bprm_clear_caps(struct linux_binprm *bprm)
{
	cap_clear(bprm->cap_post_exec_permitted);
	bprm->cap_effective = false;
}

#ifdef CONFIG_SECURITY_FILE_CAPABILITIES

int cap_inode_need_killpriv(struct dentry *dentry)
{
	struct inode *inode = dentry->d_inode;
	int error;

	if (!inode->i_op || !inode->i_op->getxattr)
	       return 0;

	error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
	if (error <= 0)
		return 0;
	return 1;
}

int cap_inode_killpriv(struct dentry *dentry)
{
	struct inode *inode = dentry->d_inode;

	if (!inode->i_op || !inode->i_op->removexattr)
	       return 0;

	return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
}

static inline int cap_from_disk(struct vfs_cap_data *caps,
				struct linux_binprm *bprm, unsigned size)
{
	__u32 magic_etc;
	unsigned tocopy, i;
	int ret;

	if (size < sizeof(magic_etc))
		return -EINVAL;

	magic_etc = le32_to_cpu(caps->magic_etc);

	switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
	case VFS_CAP_REVISION_1:
		if (size != XATTR_CAPS_SZ_1)
			return -EINVAL;
		tocopy = VFS_CAP_U32_1;
		break;
	case VFS_CAP_REVISION_2:
		if (size != XATTR_CAPS_SZ_2)
			return -EINVAL;
		tocopy = VFS_CAP_U32_2;
		break;
	default:
		return -EINVAL;
	}

	if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
		bprm->cap_effective = true;
	} else {
		bprm->cap_effective = false;
	}

	ret = 0;

	CAP_FOR_EACH_U32(i) {
		__u32 value_cpu;

		if (i >= tocopy) {
			/*
			 * Legacy capability sets have no upper bits
			 */
			bprm->cap_post_exec_permitted.cap[i] = 0;
			continue;
		}
		/*
		 * pP' = (X & fP) | (pI & fI)
		 */
		value_cpu = le32_to_cpu(caps->data[i].permitted);
		bprm->cap_post_exec_permitted.cap[i] =
			(current->cap_bset.cap[i] & value_cpu) |
			(current->cap_inheritable.cap[i] &
				le32_to_cpu(caps->data[i].inheritable));
		if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
			/*
			 * insufficient to execute correctly
			 */
			ret = -EPERM;
		}
	}

	/*
	 * For legacy apps, with no internal support for recognizing they
	 * do not have enough capabilities, we return an error if they are
	 * missing some "forced" (aka file-permitted) capabilities.
	 */
	return bprm->cap_effective ? ret : 0;
}

/* Locate any VFS capabilities: */
static int get_file_caps(struct linux_binprm *bprm)
{
	struct dentry *dentry;
	int rc = 0;
	struct vfs_cap_data vcaps;
	struct inode *inode;

	bprm_clear_caps(bprm);

	if (!file_caps_enabled)
		return 0;

	if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
		return 0;

	dentry = dget(bprm->file->f_dentry);
	inode = dentry->d_inode;
	if (!inode->i_op || !inode->i_op->getxattr)
		goto out;

	rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps,
				   XATTR_CAPS_SZ);
	if (rc == -ENODATA || rc == -EOPNOTSUPP) {
		/* no data, that's ok */
		rc = 0;
		goto out;
	}
	if (rc < 0)
		goto out;

	rc = cap_from_disk(&vcaps, bprm, rc);
	if (rc == -EINVAL)
		printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
		       __func__, rc, bprm->filename);

out:
	dput(dentry);
	if (rc)
		bprm_clear_caps(bprm);

	return rc;
}

#else
int cap_inode_need_killpriv(struct dentry *dentry)
{
	return 0;
}

int cap_inode_killpriv(struct dentry *dentry)
{
	return 0;
}

static inline int get_file_caps(struct linux_binprm *bprm)
{
	bprm_clear_caps(bprm);
	return 0;
}
#endif

int cap_bprm_set_security (struct linux_binprm *bprm)
{
	int ret;

	ret = get_file_caps(bprm);

	if (!issecure(SECURE_NOROOT)) {
		/*
		 * To support inheritance of root-permissions and suid-root
		 * executables under compatibility mode, we override the
		 * capability sets for the file.
		 *
		 * If only the real uid is 0, we do not set the effective
		 * bit.
		 */
		if (bprm->e_uid == 0 || current->uid == 0) {
			/* pP' = (cap_bset & ~0) | (pI & ~0) */
			bprm->cap_post_exec_permitted = cap_combine(
				current->cap_bset, current->cap_inheritable
				);
			bprm->cap_effective = (bprm->e_uid == 0);
			ret = 0;
		}
	}

	return ret;
}

void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
{
	if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
	    !cap_issubset(bprm->cap_post_exec_permitted,
			  current->cap_permitted)) {
		set_dumpable(current->mm, suid_dumpable);
		current->pdeath_signal = 0;

		if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
			if (!capable(CAP_SETUID)) {
				bprm->e_uid = current->uid;
				bprm->e_gid = current->gid;
			}
			if (cap_limit_ptraced_target()) {
				bprm->cap_post_exec_permitted = cap_intersect(
					bprm->cap_post_exec_permitted,
					current->cap_permitted);
			}
		}
	}

	current->suid = current->euid = current->fsuid = bprm->e_uid;
	current->sgid = current->egid = current->fsgid = bprm->e_gid;

	/* For init, we want to retain the capabilities set
	 * in the init_task struct. Thus we skip the usual
	 * capability rules */
	if (!is_global_init(current)) {
		current->cap_permitted = bprm->cap_post_exec_permitted;
		if (bprm->cap_effective)
			current->cap_effective = bprm->cap_post_exec_permitted;
		else
			cap_clear(current->cap_effective);
	}

	/* AUD: Audit candidate if current->cap_effective is set */

	current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
}

int cap_bprm_secureexec (struct linux_binprm *bprm)
{
	if (current->uid != 0) {
		if (bprm->cap_effective)
			return 1;
		if (!cap_isclear(bprm->cap_post_exec_permitted))
			return 1;
	}

	return (current->euid != current->uid ||
		current->egid != current->gid);
}

int cap_inode_setxattr(struct dentry *dentry, const char *name,
		       const void *value, size_t size, int flags)
{
	if (!strcmp(name, XATTR_NAME_CAPS)) {
		if (!capable(CAP_SETFCAP))
			return -EPERM;
		return 0;
	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
	    !capable(CAP_SYS_ADMIN))
		return -EPERM;
	return 0;
}

int cap_inode_removexattr(struct dentry *dentry, const char *name)
{
	if (!strcmp(name, XATTR_NAME_CAPS)) {
		if (!capable(CAP_SETFCAP))
			return -EPERM;
		return 0;
	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
	    !capable(CAP_SYS_ADMIN))
		return -EPERM;
	return 0;
}

/* moved from kernel/sys.c. */
/* 
 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
 * a process after a call to setuid, setreuid, or setresuid.
 *
 *  1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
 *  {r,e,s}uid != 0, the permitted and effective capabilities are
 *  cleared.
 *
 *  2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
 *  capabilities of the process are cleared.
 *
 *  3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
 *  capabilities are set to the permitted capabilities.
 *
 *  fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 
 *  never happen.
 *
 *  -astor 
 *
 * cevans - New behaviour, Oct '99
 * A process may, via prctl(), elect to keep its capabilities when it
 * calls setuid() and switches away from uid==0. Both permitted and
 * effective sets will be retained.
 * Without this change, it was impossible for a daemon to drop only some
 * of its privilege. The call to setuid(!=0) would drop all privileges!
 * Keeping uid 0 is not an option because uid 0 owns too many vital
 * files..
 * Thanks to Olaf Kirch and Peter Benie for spotting this.
 */
static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
					int old_suid)
{
	if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) &&
	    (current->uid != 0 && current->euid != 0 && current->suid != 0) &&
	    !issecure(SECURE_KEEP_CAPS)) {
		cap_clear (current->cap_permitted);
		cap_clear (current->cap_effective);
	}
	if (old_euid == 0 && current->euid != 0) {
		cap_clear (current->cap_effective);
	}
	if (old_euid != 0 && current->euid == 0) {
		current->cap_effective = current->cap_permitted;
	}
}

int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
			  int flags)
{
	switch (flags) {
	case LSM_SETID_RE:
	case LSM_SETID_ID:
	case LSM_SETID_RES:
		/* Copied from kernel/sys.c:setreuid/setuid/setresuid. */
		if (!issecure (SECURE_NO_SETUID_FIXUP)) {
			cap_emulate_setxuid (old_ruid, old_euid, old_suid);
		}
		break;
	case LSM_SETID_FS:
		{
			uid_t old_fsuid = old_ruid;

			/* Copied from kernel/sys.c:setfsuid. */

			/*
			 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
			 *          if not, we might be a bit too harsh here.
			 */

			if (!issecure (SECURE_NO_SETUID_FIXUP)) {
				if (old_fsuid == 0 && current->fsuid != 0) {
					current->cap_effective =
						cap_drop_fs_set(
						    current->cap_effective);
				}
				if (old_fsuid != 0 && current->fsuid == 0) {
					current->cap_effective =
						cap_raise_fs_set(
						    current->cap_effective,
						    current->cap_permitted);
				}
			}
			break;
		}
	default:
		return -EINVAL;
	}

	return 0;
}

#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
/*
 * Rationale: code calling task_setscheduler, task_setioprio, and
 * task_setnice, assumes that
 *   . if capable(cap_sys_nice), then those actions should be allowed
 *   . if not capable(cap_sys_nice), but acting on your own processes,
 *   	then those actions should be allowed
 * This is insufficient now since you can call code without suid, but
 * yet with increased caps.
 * So we check for increased caps on the target process.
 */
static int cap_safe_nice(struct task_struct *p)
{
	if (!cap_issubset(p->cap_permitted, current->cap_permitted) &&
	    !capable(CAP_SYS_NICE))
		return -EPERM;
	return 0;
}

int cap_task_setscheduler (struct task_struct *p, int policy,
			   struct sched_param *lp)
{
	return cap_safe_nice(p);
}

int cap_task_setioprio (struct task_struct *p, int ioprio)
{
	return cap_safe_nice(p);
}

int cap_task_setnice (struct task_struct *p, int nice)
{
	return cap_safe_nice(p);
}

/*
 * called from kernel/sys.c for prctl(PR_CABSET_DROP)
 * done without task_capability_lock() because it introduces
 * no new races - i.e. only another task doing capget() on
 * this task could get inconsistent info.  There can be no
 * racing writer bc a task can only change its own caps.
 */
static long cap_prctl_drop(unsigned long cap)
{
	if (!capable(CAP_SETPCAP))
		return -EPERM;
	if (!cap_valid(cap))
		return -EINVAL;
	cap_lower(current->cap_bset, cap);
	return 0;
}

#else
int cap_task_setscheduler (struct task_struct *p, int policy,
			   struct sched_param *lp)
{
	return 0;
}
int cap_task_setioprio (struct task_struct *p, int ioprio)
{
	return 0;
}
int cap_task_setnice (struct task_struct *p, int nice)
{
	return 0;
}
#endif

int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
		   unsigned long arg4, unsigned long arg5, long *rc_p)
{
	long error = 0;

	switch (option) {
	case PR_CAPBSET_READ:
		if (!cap_valid(arg2))
			error = -EINVAL;
		else
			error = !!cap_raised(current->cap_bset, arg2);
		break;
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
	case PR_CAPBSET_DROP:
		error = cap_prctl_drop(arg2);
		break;

	/*
	 * The next four prctl's remain to assist with transitioning a
	 * system from legacy UID=0 based privilege (when filesystem
	 * capabilities are not in use) to a system using filesystem
	 * capabilities only - as the POSIX.1e draft intended.
	 *
	 * Note:
	 *
	 *  PR_SET_SECUREBITS =
	 *      issecure_mask(SECURE_KEEP_CAPS_LOCKED)
	 *    | issecure_mask(SECURE_NOROOT)
	 *    | issecure_mask(SECURE_NOROOT_LOCKED)
	 *    | issecure_mask(SECURE_NO_SETUID_FIXUP)
	 *    | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
	 *
	 * will ensure that the current process and all of its
	 * children will be locked into a pure
	 * capability-based-privilege environment.
	 */
	case PR_SET_SECUREBITS:
		if ((((current->securebits & SECURE_ALL_LOCKS) >> 1)
		     & (current->securebits ^ arg2))                  /*[1]*/
		    || ((current->securebits & SECURE_ALL_LOCKS
			 & ~arg2))                                    /*[2]*/
		    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
		    || (cap_capable(current, CAP_SETPCAP) != 0)) {    /*[4]*/
			/*
			 * [1] no changing of bits that are locked
			 * [2] no unlocking of locks
			 * [3] no setting of unsupported bits
			 * [4] doing anything requires privilege (go read about
			 *     the "sendmail capabilities bug")
			 */
			error = -EPERM;  /* cannot change a locked bit */
		} else {
			current->securebits = arg2;
		}
		break;
	case PR_GET_SECUREBITS:
		error = current->securebits;
		break;

#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */

	case PR_GET_KEEPCAPS:
		if (issecure(SECURE_KEEP_CAPS))
			error = 1;
		break;
	case PR_SET_KEEPCAPS:
		if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
			error = -EINVAL;
		else if (issecure(SECURE_KEEP_CAPS_LOCKED))
			error = -EPERM;
		else if (arg2)
			current->securebits |= issecure_mask(SECURE_KEEP_CAPS);
		else
			current->securebits &=
				~issecure_mask(SECURE_KEEP_CAPS);
		break;

	default:
		/* No functionality available - continue with default */
		return 0;
	}

	/* Functionality provided */
	*rc_p = error;
	return 1;
}

void cap_task_reparent_to_init (struct task_struct *p)
{
	cap_set_init_eff(p->cap_effective);
	cap_clear(p->cap_inheritable);
	cap_set_full(p->cap_permitted);
	p->securebits = SECUREBITS_DEFAULT;
	return;
}

int cap_syslog (int type)
{
	if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
		return -EPERM;
	return 0;
}

int cap_vm_enough_memory(struct mm_struct *mm, long pages)
{
	int cap_sys_admin = 0;

	if (cap_capable(current, CAP_SYS_ADMIN) == 0)
		cap_sys_admin = 1;
	return __vm_enough_memory(mm, pages, cap_sys_admin);
}
Commit	Line	Data
e338d263	1	/* Common capabilities, needed by capability.o and root_plug.o
1da177e4 LT	2	*
	3	* This program is free software; you can redistribute it and/or modify
	4	* it under the terms of the GNU General Public License as published by
	5	* the Free Software Foundation; either version 2 of the License, or
	6	* (at your option) any later version.
	7	*
	8	*/
	9
c59ede7b	10	#include <linux/capability.h>
1da177e4 LT	11	#include <linux/module.h>
	12	#include <linux/init.h>
	13	#include <linux/kernel.h>
	14	#include <linux/security.h>
	15	#include <linux/file.h>
	16	#include <linux/mm.h>
	17	#include <linux/mman.h>
	18	#include <linux/pagemap.h>
	19	#include <linux/swap.h>
1da177e4 LT	20	#include <linux/skbuff.h>
	21	#include <linux/netlink.h>
	22	#include <linux/ptrace.h>
	23	#include <linux/xattr.h>
	24	#include <linux/hugetlb.h>
b5376771	25	#include <linux/mount.h>
b460cbc5	26	#include <linux/sched.h>
3898b1b4 AM	27	#include <linux/prctl.h>
3898b1b4 AM	28	#include <linux/securebits.h>
72c2d582	29
1da177e4 LT	30	int cap_netlink_send(struct sock sk, struct sk_buff skb)
	31	{
	32	NETLINK_CB(skb).eff_cap = current->cap_effective;
	33	return 0;
	34	}
	35
c7bdb545	36	int cap_netlink_recv(struct sk_buff *skb, int cap)
1da177e4	37	{
c7bdb545	38	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
1da177e4 LT	39	return -EPERM;
	40	return 0;
	41	}
	42
	43	EXPORT_SYMBOL(cap_netlink_recv);
	44
a6dbb1ef AM	45	/*
	46	* NOTE WELL: cap_capable() cannot be used like the kernel's capable()
	47	* function. That is, it has the reverse semantics: cap_capable()
	48	* returns 0 when a task has a capability, but the kernel's capable()
	49	* returns 1 for this case.
	50	*/
1da177e4 LT	51	int cap_capable (struct task_struct *tsk, int cap)
	52	{
	53	/* Derived from include/linux/sched.h:capable. */
	54	if (cap_raised(tsk->cap_effective, cap))
	55	return 0;
	56	return -EPERM;
	57	}
	58
	59	int cap_settime(struct timespec ts, struct timezone tz)
	60	{
	61	if (!capable(CAP_SYS_TIME))
	62	return -EPERM;
	63	return 0;
	64	}
	65
5cd9c58f	66	int cap_ptrace_may_access(struct task_struct *child, unsigned int mode)
1da177e4 LT	67	{
1da177e4 LT	68	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
5cd9c58f DH	69	if (cap_issubset(child->cap_permitted, current->cap_permitted))
	70	return 0;
	71	if (capable(CAP_SYS_PTRACE))
	72	return 0;
	73	return -EPERM;
	74	}
	75
	76	int cap_ptrace_traceme(struct task_struct *parent)
	77	{
	78	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
	79	if (cap_issubset(current->cap_permitted, parent->cap_permitted))
	80	return 0;
	81	if (has_capability(parent, CAP_SYS_PTRACE))
	82	return 0;
	83	return -EPERM;
1da177e4 LT	84	}
	85
	86	int cap_capget (struct task_struct target, kernel_cap_t effective,
	87	kernel_cap_t inheritable, kernel_cap_t permitted)
	88	{
	89	/* Derived from kernel/capability.c:sys_capget. */
e338d263 AM	90	*effective = target->cap_effective;
	91	*inheritable = target->cap_inheritable;
	92	*permitted = target->cap_permitted;
1da177e4 LT	93	return 0;
	94	}
	95
72c2d582 AM	96	#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
	97
	98	static inline int cap_block_setpcap(struct task_struct *target)
	99	{
	100	/*
	101	* No support for remote process capability manipulation with
	102	* filesystem capability support.
	103	*/
	104	return (target != current);
	105	}
	106
	107	static inline int cap_inh_is_capped(void)
	108	{
	109	/*
a6dbb1ef AM	110	* Return 1 if changes to the inheritable set are limited
	111	* to the old permitted set. That is, if the current task
	112	* does not possess the CAP_SETPCAP capability.
72c2d582	113	*/
a6dbb1ef	114	return (cap_capable(current, CAP_SETPCAP) != 0);
72c2d582 AM	115	}
72c2d582 AM	116
1209726c AM	117	static inline int cap_limit_ptraced_target(void) { return 1; }
1209726c AM	118
72c2d582 AM	119	#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
	120
	121	static inline int cap_block_setpcap(struct task_struct *t) { return 0; }
	122	static inline int cap_inh_is_capped(void) { return 1; }
1209726c AM	123	static inline int cap_limit_ptraced_target(void)
	124	{
	125	return !capable(CAP_SETPCAP);
	126	}
72c2d582 AM	127
	128	#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
	129
1da177e4 LT	130	int cap_capset_check (struct task_struct target, kernel_cap_t effective,
	131	kernel_cap_t inheritable, kernel_cap_t permitted)
	132	{
72c2d582 AM	133	if (cap_block_setpcap(target)) {
	134	return -EPERM;
	135	}
	136	if (cap_inh_is_capped()
	137	&& !cap_issubset(*inheritable,
	138	cap_combine(target->cap_inheritable,
	139	current->cap_permitted))) {
	140	/* incapable of using this inheritable set */
1da177e4 LT	141	return -EPERM;
1da177e4 LT	142	}
3b7391de SH	143	if (!cap_issubset(*inheritable,
	144	cap_combine(target->cap_inheritable,
	145	current->cap_bset))) {
	146	/* no new pI capabilities outside bounding set */
	147	return -EPERM;
	148	}
1da177e4 LT	149
	150	/* verify restrictions on target's new Permitted set */
	151	if (!cap_issubset (*permitted,
	152	cap_combine (target->cap_permitted,
	153	current->cap_permitted))) {
	154	return -EPERM;
	155	}
	156
	157	/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
	158	if (!cap_issubset (effective, permitted)) {
	159	return -EPERM;
	160	}
	161
	162	return 0;
	163	}
	164
	165	void cap_capset_set (struct task_struct target, kernel_cap_t effective,
	166	kernel_cap_t inheritable, kernel_cap_t permitted)
	167	{
	168	target->cap_effective = *effective;
	169	target->cap_inheritable = *inheritable;
	170	target->cap_permitted = *permitted;
	171	}
	172
b5376771 SH	173	static inline void bprm_clear_caps(struct linux_binprm *bprm)
b5376771 SH	174	{
5459c164	175	cap_clear(bprm->cap_post_exec_permitted);
b5376771 SH	176	bprm->cap_effective = false;
	177	}
	178
	179	#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
	180
	181	int cap_inode_need_killpriv(struct dentry *dentry)
	182	{
	183	struct inode *inode = dentry->d_inode;
	184	int error;
	185
	186	if (!inode->i_op \|\| !inode->i_op->getxattr)
	187	return 0;
	188
	189	error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
	190	if (error <= 0)
	191	return 0;
	192	return 1;
	193	}
	194
	195	int cap_inode_killpriv(struct dentry *dentry)
	196	{
	197	struct inode *inode = dentry->d_inode;
	198
	199	if (!inode->i_op \|\| !inode->i_op->removexattr)
	200	return 0;
	201
	202	return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
	203	}
	204
e338d263 AM	205	static inline int cap_from_disk(struct vfs_cap_data *caps,
e338d263 AM	206	struct linux_binprm *bprm, unsigned size)
b5376771 SH	207	{
b5376771 SH	208	__u32 magic_etc;
e338d263	209	unsigned tocopy, i;
5459c164	210	int ret;
b5376771	211
e338d263	212	if (size < sizeof(magic_etc))
b5376771 SH	213	return -EINVAL;
b5376771 SH	214
e338d263	215	magic_etc = le32_to_cpu(caps->magic_etc);
b5376771 SH	216
b5376771 SH	217	switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
e338d263 AM	218	case VFS_CAP_REVISION_1:
	219	if (size != XATTR_CAPS_SZ_1)
	220	return -EINVAL;
	221	tocopy = VFS_CAP_U32_1;
	222	break;
	223	case VFS_CAP_REVISION_2:
	224	if (size != XATTR_CAPS_SZ_2)
	225	return -EINVAL;
	226	tocopy = VFS_CAP_U32_2;
	227	break;
b5376771 SH	228	default:
	229	return -EINVAL;
	230	}
e338d263 AM	231
	232	if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
	233	bprm->cap_effective = true;
	234	} else {
	235	bprm->cap_effective = false;
	236	}
	237
5459c164 AM	238	ret = 0;
	239
	240	CAP_FOR_EACH_U32(i) {
	241	__u32 value_cpu;
	242
	243	if (i >= tocopy) {
	244	/*
	245	* Legacy capability sets have no upper bits
	246	*/
	247	bprm->cap_post_exec_permitted.cap[i] = 0;
	248	continue;
	249	}
	250	/*
	251	* pP' = (X & fP) \| (pI & fI)
	252	*/
	253	value_cpu = le32_to_cpu(caps->data[i].permitted);
	254	bprm->cap_post_exec_permitted.cap[i] =
	255	(current->cap_bset.cap[i] & value_cpu) \|
	256	(current->cap_inheritable.cap[i] &
	257	le32_to_cpu(caps->data[i].inheritable));
	258	if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
	259	/*
	260	* insufficient to execute correctly
	261	*/
	262	ret = -EPERM;
	263	}
e338d263 AM	264	}
e338d263 AM	265
5459c164 AM	266	/*
	267	* For legacy apps, with no internal support for recognizing they
	268	* do not have enough capabilities, we return an error if they are
	269	* missing some "forced" (aka file-permitted) capabilities.
	270	*/
	271	return bprm->cap_effective ? ret : 0;
b5376771 SH	272	}
	273
	274	/* Locate any VFS capabilities: */
	275	static int get_file_caps(struct linux_binprm *bprm)
	276	{
	277	struct dentry *dentry;
	278	int rc = 0;
e338d263	279	struct vfs_cap_data vcaps;
b5376771 SH	280	struct inode *inode;
b5376771 SH	281
3318a386 SH	282	bprm_clear_caps(bprm);
3318a386 SH	283
1f29fae2 SH	284	if (!file_caps_enabled)
	285	return 0;
	286
3318a386	287	if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
b5376771	288	return 0;
b5376771 SH	289
	290	dentry = dget(bprm->file->f_dentry);
	291	inode = dentry->d_inode;
	292	if (!inode->i_op \|\| !inode->i_op->getxattr)
	293	goto out;
	294
e338d263 AM	295	rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps,
e338d263 AM	296	XATTR_CAPS_SZ);
b5376771 SH	297	if (rc == -ENODATA \|\| rc == -EOPNOTSUPP) {
	298	/* no data, that's ok */
	299	rc = 0;
	300	goto out;
	301	}
	302	if (rc < 0)
	303	goto out;
	304
e338d263	305	rc = cap_from_disk(&vcaps, bprm, rc);
5459c164	306	if (rc == -EINVAL)
b5376771	307	printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
5459c164	308	__func__, rc, bprm->filename);
b5376771 SH	309
	310	out:
	311	dput(dentry);
	312	if (rc)
	313	bprm_clear_caps(bprm);
	314
	315	return rc;
	316	}
	317
	318	#else
	319	int cap_inode_need_killpriv(struct dentry *dentry)
	320	{
	321	return 0;
	322	}
	323
	324	int cap_inode_killpriv(struct dentry *dentry)
	325	{
	326	return 0;
	327	}
	328
	329	static inline int get_file_caps(struct linux_binprm *bprm)
	330	{
	331	bprm_clear_caps(bprm);
	332	return 0;
	333	}
	334	#endif
	335
1da177e4 LT	336	int cap_bprm_set_security (struct linux_binprm *bprm)
1da177e4 LT	337	{
b5376771	338	int ret;
1da177e4	339
b5376771	340	ret = get_file_caps(bprm);
1da177e4	341
5459c164 AM	342	if (!issecure(SECURE_NOROOT)) {
	343	/*
	344	* To support inheritance of root-permissions and suid-root
	345	* executables under compatibility mode, we override the
	346	* capability sets for the file.
	347	*
	348	* If only the real uid is 0, we do not set the effective
	349	* bit.
	350	*/
1da177e4	351	if (bprm->e_uid == 0 \|\| current->uid == 0) {
5459c164 AM	352	/* pP' = (cap_bset & ~0) \| (pI & ~0) */
	353	bprm->cap_post_exec_permitted = cap_combine(
	354	current->cap_bset, current->cap_inheritable
	355	);
	356	bprm->cap_effective = (bprm->e_uid == 0);
	357	ret = 0;
1da177e4	358	}
1da177e4	359	}
b5376771 SH	360
b5376771 SH	361	return ret;
1da177e4 LT	362	}
	363
	364	void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
	365	{
1da177e4	366	if (bprm->e_uid != current->uid \|\| bprm->e_gid != current->gid \|\|
5459c164 AM	367	!cap_issubset(bprm->cap_post_exec_permitted,
5459c164 AM	368	current->cap_permitted)) {
6c5d5238	369	set_dumpable(current->mm, suid_dumpable);
b5376771	370	current->pdeath_signal = 0;
1da177e4 LT	371
	372	if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
	373	if (!capable(CAP_SETUID)) {
	374	bprm->e_uid = current->uid;
	375	bprm->e_gid = current->gid;
	376	}
1209726c	377	if (cap_limit_ptraced_target()) {
5459c164 AM	378	bprm->cap_post_exec_permitted = cap_intersect(
	379	bprm->cap_post_exec_permitted,
	380	current->cap_permitted);
1da177e4 LT	381	}
	382	}
	383	}
	384
	385	current->suid = current->euid = current->fsuid = bprm->e_uid;
	386	current->sgid = current->egid = current->fsgid = bprm->e_gid;
	387
	388	/* For init, we want to retain the capabilities set
	389	* in the init_task struct. Thus we skip the usual
	390	* capability rules */
b460cbc5	391	if (!is_global_init(current)) {
5459c164	392	current->cap_permitted = bprm->cap_post_exec_permitted;
e338d263	393	if (bprm->cap_effective)
5459c164	394	current->cap_effective = bprm->cap_post_exec_permitted;
e338d263 AM	395	else
e338d263 AM	396	cap_clear(current->cap_effective);
1da177e4 LT	397	}
	398
	399	/* AUD: Audit candidate if current->cap_effective is set */
	400
3898b1b4	401	current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
1da177e4 LT	402	}
	403
	404	int cap_bprm_secureexec (struct linux_binprm *bprm)
	405	{
b5376771 SH	406	if (current->uid != 0) {
	407	if (bprm->cap_effective)
	408	return 1;
5459c164	409	if (!cap_isclear(bprm->cap_post_exec_permitted))
b5376771 SH	410	return 1;
	411	}
	412
1da177e4 LT	413	return (current->euid != current->uid \|\|
	414	current->egid != current->gid);
	415	}
	416
8f0cfa52 DH	417	int cap_inode_setxattr(struct dentry dentry, const char name,
8f0cfa52 DH	418	const void *value, size_t size, int flags)
1da177e4	419	{
b5376771 SH	420	if (!strcmp(name, XATTR_NAME_CAPS)) {
	421	if (!capable(CAP_SETFCAP))
	422	return -EPERM;
	423	return 0;
	424	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
1da177e4 LT	425	sizeof(XATTR_SECURITY_PREFIX) - 1) &&
	426	!capable(CAP_SYS_ADMIN))
	427	return -EPERM;
	428	return 0;
	429	}
	430
8f0cfa52	431	int cap_inode_removexattr(struct dentry dentry, const char name)
1da177e4	432	{
b5376771 SH	433	if (!strcmp(name, XATTR_NAME_CAPS)) {
	434	if (!capable(CAP_SETFCAP))
	435	return -EPERM;
	436	return 0;
	437	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
1da177e4 LT	438	sizeof(XATTR_SECURITY_PREFIX) - 1) &&
	439	!capable(CAP_SYS_ADMIN))
	440	return -EPERM;
	441	return 0;
	442	}
	443
	444	/* moved from kernel/sys.c. */
	445	/*
	446	* cap_emulate_setxuid() fixes the effective / permitted capabilities of
	447	* a process after a call to setuid, setreuid, or setresuid.
	448	*
	449	* 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
	450	* {r,e,s}uid != 0, the permitted and effective capabilities are
	451	* cleared.
	452	*
	453	* 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
	454	* capabilities of the process are cleared.
	455	*
	456	* 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
	457	* capabilities are set to the permitted capabilities.
	458	*
	459	* fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
	460	* never happen.
	461	*
	462	* -astor
	463	*
	464	* cevans - New behaviour, Oct '99
	465	* A process may, via prctl(), elect to keep its capabilities when it
	466	* calls setuid() and switches away from uid==0. Both permitted and
	467	* effective sets will be retained.
	468	* Without this change, it was impossible for a daemon to drop only some
	469	* of its privilege. The call to setuid(!=0) would drop all privileges!
	470	* Keeping uid 0 is not an option because uid 0 owns too many vital
	471	* files..
	472	* Thanks to Olaf Kirch and Peter Benie for spotting this.
	473	*/
	474	static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
	475	int old_suid)
	476	{
	477	if ((old_ruid == 0 \|\| old_euid == 0 \|\| old_suid == 0) &&
	478	(current->uid != 0 && current->euid != 0 && current->suid != 0) &&
3898b1b4	479	!issecure(SECURE_KEEP_CAPS)) {
1da177e4 LT	480	cap_clear (current->cap_permitted);
	481	cap_clear (current->cap_effective);
	482	}
	483	if (old_euid == 0 && current->euid != 0) {
	484	cap_clear (current->cap_effective);
	485	}
	486	if (old_euid != 0 && current->euid == 0) {
	487	current->cap_effective = current->cap_permitted;
	488	}
	489	}
	490
	491	int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
	492	int flags)
	493	{
	494	switch (flags) {
	495	case LSM_SETID_RE:
	496	case LSM_SETID_ID:
	497	case LSM_SETID_RES:
	498	/* Copied from kernel/sys.c:setreuid/setuid/setresuid. */
	499	if (!issecure (SECURE_NO_SETUID_FIXUP)) {
	500	cap_emulate_setxuid (old_ruid, old_euid, old_suid);
	501	}
	502	break;
	503	case LSM_SETID_FS:
	504	{
	505	uid_t old_fsuid = old_ruid;
	506
	507	/* Copied from kernel/sys.c:setfsuid. */
	508
	509	/*
	510	* FIXME - is fsuser used for all CAP_FS_MASK capabilities?
	511	* if not, we might be a bit too harsh here.
	512	*/
	513
	514	if (!issecure (SECURE_NO_SETUID_FIXUP)) {
	515	if (old_fsuid == 0 && current->fsuid != 0) {
e338d263 AM	516	current->cap_effective =
	517	cap_drop_fs_set(
	518	current->cap_effective);
1da177e4 LT	519	}
1da177e4 LT	520	if (old_fsuid != 0 && current->fsuid == 0) {
e338d263 AM	521	current->cap_effective =
	522	cap_raise_fs_set(
	523	current->cap_effective,
	524	current->cap_permitted);
1da177e4 LT	525	}
	526	}
	527	break;
	528	}
	529	default:
	530	return -EINVAL;
	531	}
	532
	533	return 0;
	534	}
	535
b5376771 SH	536	#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
	537	/*
	538	* Rationale: code calling task_setscheduler, task_setioprio, and
	539	* task_setnice, assumes that
	540	* . if capable(cap_sys_nice), then those actions should be allowed
	541	* . if not capable(cap_sys_nice), but acting on your own processes,
	542	* then those actions should be allowed
	543	* This is insufficient now since you can call code without suid, but
	544	* yet with increased caps.
	545	* So we check for increased caps on the target process.
	546	*/
de45e806	547	static int cap_safe_nice(struct task_struct *p)
b5376771 SH	548	{
b5376771 SH	549	if (!cap_issubset(p->cap_permitted, current->cap_permitted) &&
5cd9c58f	550	!capable(CAP_SYS_NICE))
b5376771 SH	551	return -EPERM;
	552	return 0;
	553	}
	554
	555	int cap_task_setscheduler (struct task_struct *p, int policy,
	556	struct sched_param *lp)
	557	{
	558	return cap_safe_nice(p);
	559	}
	560
	561	int cap_task_setioprio (struct task_struct *p, int ioprio)
	562	{
	563	return cap_safe_nice(p);
	564	}
	565
	566	int cap_task_setnice (struct task_struct *p, int nice)
	567	{
	568	return cap_safe_nice(p);
	569	}
	570
3b7391de SH	571	/*
	572	* called from kernel/sys.c for prctl(PR_CABSET_DROP)
	573	* done without task_capability_lock() because it introduces
	574	* no new races - i.e. only another task doing capget() on
	575	* this task could get inconsistent info. There can be no
	576	* racing writer bc a task can only change its own caps.
	577	*/
3898b1b4	578	static long cap_prctl_drop(unsigned long cap)
3b7391de SH	579	{
	580	if (!capable(CAP_SETPCAP))
	581	return -EPERM;
	582	if (!cap_valid(cap))
	583	return -EINVAL;
	584	cap_lower(current->cap_bset, cap);
	585	return 0;
	586	}
3898b1b4	587
b5376771 SH	588	#else
	589	int cap_task_setscheduler (struct task_struct *p, int policy,
	590	struct sched_param *lp)
	591	{
	592	return 0;
	593	}
	594	int cap_task_setioprio (struct task_struct *p, int ioprio)
	595	{
	596	return 0;
	597	}
	598	int cap_task_setnice (struct task_struct *p, int nice)
	599	{
	600	return 0;
	601	}
b5376771 SH	602	#endif
b5376771 SH	603
3898b1b4 AM	604	int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
	605	unsigned long arg4, unsigned long arg5, long *rc_p)
	606	{
	607	long error = 0;
	608
	609	switch (option) {
	610	case PR_CAPBSET_READ:
	611	if (!cap_valid(arg2))
	612	error = -EINVAL;
	613	else
	614	error = !!cap_raised(current->cap_bset, arg2);
	615	break;
	616	#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
	617	case PR_CAPBSET_DROP:
	618	error = cap_prctl_drop(arg2);
	619	break;
	620
	621	/*
	622	* The next four prctl's remain to assist with transitioning a
	623	* system from legacy UID=0 based privilege (when filesystem
	624	* capabilities are not in use) to a system using filesystem
	625	* capabilities only - as the POSIX.1e draft intended.
	626	*
	627	* Note:
	628	*
	629	* PR_SET_SECUREBITS =
	630	* issecure_mask(SECURE_KEEP_CAPS_LOCKED)
	631	* \| issecure_mask(SECURE_NOROOT)
	632	* \| issecure_mask(SECURE_NOROOT_LOCKED)
	633	* \| issecure_mask(SECURE_NO_SETUID_FIXUP)
	634	* \| issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
	635	*
	636	* will ensure that the current process and all of its
	637	* children will be locked into a pure
	638	* capability-based-privilege environment.
	639	*/
	640	case PR_SET_SECUREBITS:
	641	if ((((current->securebits & SECURE_ALL_LOCKS) >> 1)
	642	& (current->securebits ^ arg2)) /[1]/
	643	\|\| ((current->securebits & SECURE_ALL_LOCKS
	644	& ~arg2)) /[2]/
	645	\|\| (arg2 & ~(SECURE_ALL_LOCKS \| SECURE_ALL_BITS)) /[3]/
	646	\|\| (cap_capable(current, CAP_SETPCAP) != 0)) { /[4]/
	647	/*
	648	* [1] no changing of bits that are locked
	649	* [2] no unlocking of locks
	650	* [3] no setting of unsupported bits
	651	* [4] doing anything requires privilege (go read about
	652	* the "sendmail capabilities bug")
	653	*/
	654	error = -EPERM; /* cannot change a locked bit */
	655	} else {
	656	current->securebits = arg2;
	657	}
	658	break;
	659	case PR_GET_SECUREBITS:
	660	error = current->securebits;
	661	break;
	662
	663	#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
	664
	665	case PR_GET_KEEPCAPS:
	666	if (issecure(SECURE_KEEP_CAPS))
	667	error = 1;
668	break;
669	case PR_SET_KEEPCAPS:
670	if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
671	error = -EINVAL;
672	else if (issecure(SECURE_KEEP_CAPS_LOCKED))
673	error = -EPERM;
674	else if (arg2)
675	current->securebits \|= issecure_mask(SECURE_KEEP_CAPS);
676	else
677	current->securebits &=
678	~issecure_mask(SECURE_KEEP_CAPS);
679	break;
680
681	default:
682	/* No functionality available - continue with default */
683	return 0;
684	}
685
686	/* Functionality provided */
687	*rc_p = error;
688	return 1;
689	}
690
1da177e4 LT	691	void cap_task_reparent_to_init (struct task_struct *p)
1da177e4 LT	692	{
e338d263 AM	693	cap_set_init_eff(p->cap_effective);
	694	cap_clear(p->cap_inheritable);
	695	cap_set_full(p->cap_permitted);
3898b1b4	696	p->securebits = SECUREBITS_DEFAULT;
1da177e4 LT	697	return;
	698	}
	699
	700	int cap_syslog (int type)
	701	{
	702	if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
	703	return -EPERM;
	704	return 0;
	705	}
	706
34b4e4aa	707	int cap_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4 LT	708	{
	709	int cap_sys_admin = 0;
	710
	711	if (cap_capable(current, CAP_SYS_ADMIN) == 0)
	712	cap_sys_admin = 1;
34b4e4aa	713	return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4 LT	714	}
1da177e4 LT	715