summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/capability.c1
-rw-r--r--security/commoncap.c16
-rw-r--r--security/dummy.c8
3 files changed, 20 insertions, 5 deletions
diff --git a/security/capability.c b/security/capability.c
index 532023c652ca..ec18d6075625 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -30,6 +30,7 @@ static struct security_operations capability_ops = {
.capset_check = cap_capset_check,
.capset_set = cap_capset_set,
.capable = cap_capable,
+ .settime = cap_settime,
.netlink_send = cap_netlink_send,
.netlink_recv = cap_netlink_recv,
diff --git a/security/commoncap.c b/security/commoncap.c
index ed0d6136f6fc..6890914525dc 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,20 +27,25 @@
int cap_capable (struct task_struct *tsk, int cap)
{
/* Derived from include/linux/sched.h:capable. */
- if (cap_raised (tsk->cap_effective, cap))
+ if (cap_raised(tsk->cap_effective, cap))
return 0;
- else
+ return -EPERM;
+}
+
+int cap_settime(struct timespec *ts, struct timezone *tz)
+{
+ if (!capable(CAP_SYS_TIME))
return -EPERM;
+ return 0;
}
int cap_ptrace (struct task_struct *parent, struct task_struct *child)
{
/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
if (!cap_issubset (child->cap_permitted, current->cap_permitted) &&
- !capable (CAP_SYS_PTRACE))
+ !capable(CAP_SYS_PTRACE))
return -EPERM;
- else
- return 0;
+ return 0;
}
int cap_capget (struct task_struct *target, kernel_cap_t *effective,
@@ -373,6 +378,7 @@ int cap_vm_enough_memory(long pages)
}
EXPORT_SYMBOL(cap_capable);
+EXPORT_SYMBOL(cap_settime);
EXPORT_SYMBOL(cap_ptrace);
EXPORT_SYMBOL(cap_capget);
EXPORT_SYMBOL(cap_capset_check);
diff --git a/security/dummy.c b/security/dummy.c
index 0ce9f22d6c8c..c20c28ac1f00 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -104,6 +104,13 @@ static int dummy_syslog (int type)
return 0;
}
+static int dummy_settime(struct timespec *ts, struct timezone *tz)
+{
+ if (!capable(CAP_SYS_TIME))
+ return -EPERM;
+ return 0;
+}
+
/*
* Check that a process has enough memory to allocate a new virtual
* mapping. 0 means there is enough memory for the allocation to
@@ -897,6 +904,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, quota_on);
set_to_dummy_if_null(ops, sysctl);
set_to_dummy_if_null(ops, syslog);
+ set_to_dummy_if_null(ops, settime);
set_to_dummy_if_null(ops, vm_enough_memory);
set_to_dummy_if_null(ops, bprm_alloc_security);
set_to_dummy_if_null(ops, bprm_free_security);
generated by cgit v1.2.3 (git 2.46.0) at 2026-01-27 10:36:03 +0000