1
2
3
4
5
6
7
8
9
10#include <linux/capability.h>
11#include <linux/audit.h>
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/kernel.h>
15#include <linux/lsm_hooks.h>
16#include <linux/file.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/pagemap.h>
20#include <linux/swap.h>
21#include <linux/skbuff.h>
22#include <linux/netlink.h>
23#include <linux/ptrace.h>
24#include <linux/xattr.h>
25#include <linux/hugetlb.h>
26#include <linux/mount.h>
27#include <linux/sched.h>
28#include <linux/prctl.h>
29#include <linux/securebits.h>
30#include <linux/user_namespace.h>
31#include <linux/binfmts.h>
32#include <linux/personality.h>
33
34
35
36
37
38
39
40
41
42
43
44
45static void warn_setuid_and_fcaps_mixed(const char *fname)
46{
47 static int warned;
48 if (!warned) {
49 printk(KERN_INFO "warning: `%s' has both setuid-root and"
50 " effective capabilities. Therefore not raising all"
51 " capabilities.\n", fname);
52 warned = 1;
53 }
54}
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
72 int cap, int audit)
73{
74 struct user_namespace *ns = targ_ns;
75
76
77
78
79
80 for (;;) {
81
82 if (ns == cred->user_ns)
83 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
84
85
86 if (ns == &init_user_ns)
87 return -EPERM;
88
89
90
91
92
93 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
94 return 0;
95
96
97
98
99
100 ns = ns->parent;
101 }
102
103
104}
105
106
107
108
109
110
111
112
113
114int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
115{
116 if (!capable(CAP_SYS_TIME))
117 return -EPERM;
118 return 0;
119}
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
137{
138 int ret = 0;
139 const struct cred *cred, *child_cred;
140 const kernel_cap_t *caller_caps;
141
142 rcu_read_lock();
143 cred = current_cred();
144 child_cred = __task_cred(child);
145 if (mode & PTRACE_MODE_FSCREDS)
146 caller_caps = &cred->cap_effective;
147 else
148 caller_caps = &cred->cap_permitted;
149 if (cred->user_ns == child_cred->user_ns &&
150 cap_issubset(child_cred->cap_permitted, *caller_caps))
151 goto out;
152 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
153 goto out;
154 ret = -EPERM;
155out:
156 rcu_read_unlock();
157 return ret;
158}
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173int cap_ptrace_traceme(struct task_struct *parent)
174{
175 int ret = 0;
176 const struct cred *cred, *child_cred;
177
178 rcu_read_lock();
179 cred = __task_cred(parent);
180 child_cred = current_cred();
181 if (cred->user_ns == child_cred->user_ns &&
182 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
183 goto out;
184 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
185 goto out;
186 ret = -EPERM;
187out:
188 rcu_read_unlock();
189 return ret;
190}
191
192
193
194
195
196
197
198
199
200
201
202int cap_capget(struct task_struct *target, kernel_cap_t *effective,
203 kernel_cap_t *inheritable, kernel_cap_t *permitted)
204{
205 const struct cred *cred;
206
207
208 rcu_read_lock();
209 cred = __task_cred(target);
210 *effective = cred->cap_effective;
211 *inheritable = cred->cap_inheritable;
212 *permitted = cred->cap_permitted;
213 rcu_read_unlock();
214 return 0;
215}
216
217
218
219
220
221static inline int cap_inh_is_capped(void)
222{
223
224
225
226
227 if (cap_capable(current_cred(), current_cred()->user_ns,
228 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
229 return 0;
230 return 1;
231}
232
233
234
235
236
237
238
239
240
241
242
243
244
245int cap_capset(struct cred *new,
246 const struct cred *old,
247 const kernel_cap_t *effective,
248 const kernel_cap_t *inheritable,
249 const kernel_cap_t *permitted)
250{
251 if (cap_inh_is_capped() &&
252 !cap_issubset(*inheritable,
253 cap_combine(old->cap_inheritable,
254 old->cap_permitted)))
255
256 return -EPERM;
257
258 if (!cap_issubset(*inheritable,
259 cap_combine(old->cap_inheritable,
260 old->cap_bset)))
261
262 return -EPERM;
263
264
265 if (!cap_issubset(*permitted, old->cap_permitted))
266 return -EPERM;
267
268
269 if (!cap_issubset(*effective, *permitted))
270 return -EPERM;
271
272 new->cap_effective = *effective;
273 new->cap_inheritable = *inheritable;
274 new->cap_permitted = *permitted;
275
276
277
278
279
280 new->cap_ambient = cap_intersect(new->cap_ambient,
281 cap_intersect(*permitted,
282 *inheritable));
283 if (WARN_ON(!cap_ambient_invariant_ok(new)))
284 return -EINVAL;
285 return 0;
286}
287
288
289
290
291static inline void bprm_clear_caps(struct linux_binprm *bprm)
292{
293 cap_clear(bprm->cred->cap_permitted);
294 bprm->cap_effective = false;
295}
296
297
298
299
300
301
302
303
304
305
306
307
308int cap_inode_need_killpriv(struct dentry *dentry)
309{
310 struct inode *inode = d_backing_inode(dentry);
311 int error;
312
313 error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
314 return error > 0;
315}
316
317
318
319
320
321
322
323
324
325int cap_inode_killpriv(struct dentry *dentry)
326{
327 int error;
328
329 error = __vfs_removexattr(dentry, XATTR_NAME_CAPS);
330 if (error == -EOPNOTSUPP)
331 error = 0;
332 return error;
333}
334
335
336
337
338
339static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
340 struct linux_binprm *bprm,
341 bool *effective,
342 bool *has_cap)
343{
344 struct cred *new = bprm->cred;
345 unsigned i;
346 int ret = 0;
347
348 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
349 *effective = true;
350
351 if (caps->magic_etc & VFS_CAP_REVISION_MASK)
352 *has_cap = true;
353
354 CAP_FOR_EACH_U32(i) {
355 __u32 permitted = caps->permitted.cap[i];
356 __u32 inheritable = caps->inheritable.cap[i];
357
358
359
360
361
362 new->cap_permitted.cap[i] =
363 (new->cap_bset.cap[i] & permitted) |
364 (new->cap_inheritable.cap[i] & inheritable);
365
366 if (permitted & ~new->cap_permitted.cap[i])
367
368 ret = -EPERM;
369 }
370
371
372
373
374
375
376 return *effective ? ret : 0;
377}
378
379
380
381
382int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
383{
384 struct inode *inode = d_backing_inode(dentry);
385 __u32 magic_etc;
386 unsigned tocopy, i;
387 int size;
388 struct vfs_cap_data caps;
389
390 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
391
392 if (!inode)
393 return -ENODATA;
394
395 size = __vfs_getxattr((struct dentry *)dentry, inode,
396 XATTR_NAME_CAPS, &caps, XATTR_CAPS_SZ);
397 if (size == -ENODATA || size == -EOPNOTSUPP)
398
399 return -ENODATA;
400 if (size < 0)
401 return size;
402
403 if (size < sizeof(magic_etc))
404 return -EINVAL;
405
406 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
407
408 switch (magic_etc & VFS_CAP_REVISION_MASK) {
409 case VFS_CAP_REVISION_1:
410 if (size != XATTR_CAPS_SZ_1)
411 return -EINVAL;
412 tocopy = VFS_CAP_U32_1;
413 break;
414 case VFS_CAP_REVISION_2:
415 if (size != XATTR_CAPS_SZ_2)
416 return -EINVAL;
417 tocopy = VFS_CAP_U32_2;
418 break;
419 default:
420 return -EINVAL;
421 }
422
423 CAP_FOR_EACH_U32(i) {
424 if (i >= tocopy)
425 break;
426 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
427 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
428 }
429
430 cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
431 cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
432
433 return 0;
434}
435
436
437
438
439
440
441static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap)
442{
443 int rc = 0;
444 struct cpu_vfs_cap_data vcaps;
445
446 bprm_clear_caps(bprm);
447
448 if (!file_caps_enabled)
449 return 0;
450
451 if (!mnt_may_suid(bprm->file->f_path.mnt))
452 return 0;
453
454
455
456
457
458
459 if (!current_in_userns(bprm->file->f_path.mnt->mnt_sb->s_user_ns))
460 return 0;
461
462 rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
463 if (rc < 0) {
464 if (rc == -EINVAL)
465 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
466 __func__, rc, bprm->filename);
467 else if (rc == -ENODATA)
468 rc = 0;
469 goto out;
470 }
471
472 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap);
473 if (rc == -EINVAL)
474 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
475 __func__, rc, bprm->filename);
476
477out:
478 if (rc)
479 bprm_clear_caps(bprm);
480
481 return rc;
482}
483
484
485
486
487
488
489
490
491
492int cap_bprm_set_creds(struct linux_binprm *bprm)
493{
494 const struct cred *old = current_cred();
495 struct cred *new = bprm->cred;
496 bool effective, has_cap = false, is_setid;
497 int ret;
498 kuid_t root_uid;
499
500 if (WARN_ON(!cap_ambient_invariant_ok(old)))
501 return -EPERM;
502
503 effective = false;
504 ret = get_file_caps(bprm, &effective, &has_cap);
505 if (ret < 0)
506 return ret;
507
508 root_uid = make_kuid(new->user_ns, 0);
509
510 if (!issecure(SECURE_NOROOT)) {
511
512
513
514
515
516 if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {
517 warn_setuid_and_fcaps_mixed(bprm->filename);
518 goto skip;
519 }
520
521
522
523
524
525
526
527 if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {
528
529 new->cap_permitted = cap_combine(old->cap_bset,
530 old->cap_inheritable);
531 }
532 if (uid_eq(new->euid, root_uid))
533 effective = true;
534 }
535skip:
536
537
538 if (!cap_issubset(new->cap_permitted, old->cap_permitted))
539 bprm->per_clear |= PER_CLEAR_ON_SETID;
540
541
542
543
544
545
546
547 is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid);
548
549 if ((is_setid ||
550 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
551 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
552
553 if (!capable(CAP_SETUID) ||
554 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
555 new->euid = new->uid;
556 new->egid = new->gid;
557 }
558 new->cap_permitted = cap_intersect(new->cap_permitted,
559 old->cap_permitted);
560 }
561
562 new->suid = new->fsuid = new->euid;
563 new->sgid = new->fsgid = new->egid;
564
565
566 if (has_cap || is_setid)
567 cap_clear(new->cap_ambient);
568
569
570
571
572
573 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
574
575
576
577
578
579 if (effective)
580 new->cap_effective = new->cap_permitted;
581 else
582 new->cap_effective = new->cap_ambient;
583
584 if (WARN_ON(!cap_ambient_invariant_ok(new)))
585 return -EPERM;
586
587 bprm->cap_effective = effective;
588
589
590
591
592
593
594
595
596
597
598
599
600
601 if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
602 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
603 !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
604 issecure(SECURE_NOROOT)) {
605 ret = audit_log_bprm_fcaps(bprm, new, old);
606 if (ret < 0)
607 return ret;
608 }
609 }
610
611 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
612
613 if (WARN_ON(!cap_ambient_invariant_ok(new)))
614 return -EPERM;
615
616 return 0;
617}
618
619
620
621
622
623
624
625
626
627
628
629int cap_bprm_secureexec(struct linux_binprm *bprm)
630{
631 const struct cred *cred = current_cred();
632 kuid_t root_uid = make_kuid(cred->user_ns, 0);
633
634 if (!uid_eq(cred->uid, root_uid)) {
635 if (bprm->cap_effective)
636 return 1;
637 if (!cap_issubset(cred->cap_permitted, cred->cap_ambient))
638 return 1;
639 }
640
641 return (!uid_eq(cred->euid, cred->uid) ||
642 !gid_eq(cred->egid, cred->gid));
643}
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659int cap_inode_setxattr(struct dentry *dentry, const char *name,
660 const void *value, size_t size, int flags)
661{
662 if (!strcmp(name, XATTR_NAME_CAPS)) {
663 if (!capable(CAP_SETFCAP))
664 return -EPERM;
665 return 0;
666 }
667
668 if (!strncmp(name, XATTR_SECURITY_PREFIX,
669 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
670 !capable(CAP_SYS_ADMIN))
671 return -EPERM;
672 return 0;
673}
674
675
676
677
678
679
680
681
682
683
684
685
686int cap_inode_removexattr(struct dentry *dentry, const char *name)
687{
688 if (!strcmp(name, XATTR_NAME_CAPS)) {
689 if (!capable(CAP_SETFCAP))
690 return -EPERM;
691 return 0;
692 }
693
694 if (!strncmp(name, XATTR_SECURITY_PREFIX,
695 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
696 !capable(CAP_SYS_ADMIN))
697 return -EPERM;
698 return 0;
699}
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
731{
732 kuid_t root_uid = make_kuid(old->user_ns, 0);
733
734 if ((uid_eq(old->uid, root_uid) ||
735 uid_eq(old->euid, root_uid) ||
736 uid_eq(old->suid, root_uid)) &&
737 (!uid_eq(new->uid, root_uid) &&
738 !uid_eq(new->euid, root_uid) &&
739 !uid_eq(new->suid, root_uid))) {
740 if (!issecure(SECURE_KEEP_CAPS)) {
741 cap_clear(new->cap_permitted);
742 cap_clear(new->cap_effective);
743 }
744
745
746
747
748
749
750 cap_clear(new->cap_ambient);
751 }
752 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
753 cap_clear(new->cap_effective);
754 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
755 new->cap_effective = new->cap_permitted;
756}
757
758
759
760
761
762
763
764
765
766
767int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
768{
769 switch (flags) {
770 case LSM_SETID_RE:
771 case LSM_SETID_ID:
772 case LSM_SETID_RES:
773
774
775 if (!issecure(SECURE_NO_SETUID_FIXUP))
776 cap_emulate_setxuid(new, old);
777 break;
778
779 case LSM_SETID_FS:
780
781
782
783
784
785
786 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
787 kuid_t root_uid = make_kuid(old->user_ns, 0);
788 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
789 new->cap_effective =
790 cap_drop_fs_set(new->cap_effective);
791
792 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
793 new->cap_effective =
794 cap_raise_fs_set(new->cap_effective,
795 new->cap_permitted);
796 }
797 break;
798
799 default:
800 return -EINVAL;
801 }
802
803 return 0;
804}
805
806
807
808
809
810
811
812
813
814
815
816static int cap_safe_nice(struct task_struct *p)
817{
818 int is_subset, ret = 0;
819
820 rcu_read_lock();
821 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
822 current_cred()->cap_permitted);
823 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
824 ret = -EPERM;
825 rcu_read_unlock();
826
827 return ret;
828}
829
830
831
832
833
834
835
836
837int cap_task_setscheduler(struct task_struct *p)
838{
839 return cap_safe_nice(p);
840}
841
842
843
844
845
846
847
848
849
850int cap_task_setioprio(struct task_struct *p, int ioprio)
851{
852 return cap_safe_nice(p);
853}
854
855
856
857
858
859
860
861
862
863int cap_task_setnice(struct task_struct *p, int nice)
864{
865 return cap_safe_nice(p);
866}
867
868
869
870
871
872static int cap_prctl_drop(unsigned long cap)
873{
874 struct cred *new;
875
876 if (!ns_capable(current_user_ns(), CAP_SETPCAP))
877 return -EPERM;
878 if (!cap_valid(cap))
879 return -EINVAL;
880
881 new = prepare_creds();
882 if (!new)
883 return -ENOMEM;
884 cap_lower(new->cap_bset, cap);
885 return commit_creds(new);
886}
887
888
889
890
891
892
893
894
895
896
897
898
899
900int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
901 unsigned long arg4, unsigned long arg5)
902{
903 const struct cred *old = current_cred();
904 struct cred *new;
905
906 switch (option) {
907 case PR_CAPBSET_READ:
908 if (!cap_valid(arg2))
909 return -EINVAL;
910 return !!cap_raised(old->cap_bset, arg2);
911
912 case PR_CAPBSET_DROP:
913 return cap_prctl_drop(arg2);
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934 case PR_SET_SECUREBITS:
935 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
936 & (old->securebits ^ arg2))
937 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2))
938 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))
939 || (cap_capable(current_cred(),
940 current_cred()->user_ns, CAP_SETPCAP,
941 SECURITY_CAP_AUDIT) != 0)
942
943
944
945
946
947
948
949 )
950
951 return -EPERM;
952
953 new = prepare_creds();
954 if (!new)
955 return -ENOMEM;
956 new->securebits = arg2;
957 return commit_creds(new);
958
959 case PR_GET_SECUREBITS:
960 return old->securebits;
961
962 case PR_GET_KEEPCAPS:
963 return !!issecure(SECURE_KEEP_CAPS);
964
965 case PR_SET_KEEPCAPS:
966 if (arg2 > 1)
967 return -EINVAL;
968 if (issecure(SECURE_KEEP_CAPS_LOCKED))
969 return -EPERM;
970
971 new = prepare_creds();
972 if (!new)
973 return -ENOMEM;
974 if (arg2)
975 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
976 else
977 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
978 return commit_creds(new);
979
980 case PR_CAP_AMBIENT:
981 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
982 if (arg3 | arg4 | arg5)
983 return -EINVAL;
984
985 new = prepare_creds();
986 if (!new)
987 return -ENOMEM;
988 cap_clear(new->cap_ambient);
989 return commit_creds(new);
990 }
991
992 if (((!cap_valid(arg3)) | arg4 | arg5))
993 return -EINVAL;
994
995 if (arg2 == PR_CAP_AMBIENT_IS_SET) {
996 return !!cap_raised(current_cred()->cap_ambient, arg3);
997 } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
998 arg2 != PR_CAP_AMBIENT_LOWER) {
999 return -EINVAL;
1000 } else {
1001 if (arg2 == PR_CAP_AMBIENT_RAISE &&
1002 (!cap_raised(current_cred()->cap_permitted, arg3) ||
1003 !cap_raised(current_cred()->cap_inheritable,
1004 arg3) ||
1005 issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
1006 return -EPERM;
1007
1008 new = prepare_creds();
1009 if (!new)
1010 return -ENOMEM;
1011 if (arg2 == PR_CAP_AMBIENT_RAISE)
1012 cap_raise(new->cap_ambient, arg3);
1013 else
1014 cap_lower(new->cap_ambient, arg3);
1015 return commit_creds(new);
1016 }
1017
1018 default:
1019
1020 return -ENOSYS;
1021 }
1022}
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032int cap_vm_enough_memory(struct mm_struct *mm, long pages)
1033{
1034 int cap_sys_admin = 0;
1035
1036 if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1037 SECURITY_CAP_NOAUDIT) == 0)
1038 cap_sys_admin = 1;
1039 return cap_sys_admin;
1040}
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051int cap_mmap_addr(unsigned long addr)
1052{
1053 int ret = 0;
1054
1055 if (addr < dac_mmap_min_addr) {
1056 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
1057 SECURITY_CAP_AUDIT);
1058
1059 if (ret == 0)
1060 current->flags |= PF_SUPERPRIV;
1061 }
1062 return ret;
1063}
1064
1065int cap_mmap_file(struct file *file, unsigned long reqprot,
1066 unsigned long prot, unsigned long flags)
1067{
1068 return 0;
1069}
1070
1071#ifdef CONFIG_SECURITY
1072
1073struct security_hook_list capability_hooks[] = {
1074 LSM_HOOK_INIT(capable, cap_capable),
1075 LSM_HOOK_INIT(settime, cap_settime),
1076 LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
1077 LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
1078 LSM_HOOK_INIT(capget, cap_capget),
1079 LSM_HOOK_INIT(capset, cap_capset),
1080 LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds),
1081 LSM_HOOK_INIT(bprm_secureexec, cap_bprm_secureexec),
1082 LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
1083 LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
1084 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
1085 LSM_HOOK_INIT(mmap_file, cap_mmap_file),
1086 LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
1087 LSM_HOOK_INIT(task_prctl, cap_task_prctl),
1088 LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
1089 LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
1090 LSM_HOOK_INIT(task_setnice, cap_task_setnice),
1091 LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
1092};
1093
1094void __init capability_add_hooks(void)
1095{
1096 security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
1097}
1098
1099#endif
1100