linux-security-module July 2008 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: [PATCH 07/27] CRED: Constify the kernel_c

[PATCH 07/27] CRED: Constify the kernel_cap_t arguments to the capset LSM hooks [ver #6]

From: David Howells <dhowells_at_nospam>
Date: Fri Jul 11 2008 - 11:05:50 GMT
To: viro@ftp.linux.org.uk, hch@infradead.org, sds@tycho.nsa.gov, casey@schaufler-ca.com, morgan@kernel.org, jmorris@namei.org


Constify the kernel_cap_t arguments to the capset LSM hooks.

Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: James Morris <jmorris@namei.org> --- include/linux/security.h | 46 ++++++++++++++++++++++++++-------------------- security/commoncap.c | 12 ++++++++---- security/dummy.c | 12 ++++++------ security/security.c | 15 ++++++++------- security/selinux/hooks.c | 12 ++++++++---- 5 files changed, 56 insertions(+), 41 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 962c8dc..b06830c 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -49,8 +49,14 @@ extern int cap_settime(struct timespec *ts, struct timezone *tz);
extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); extern int cap_ptrace_traceme(struct task_struct *parent); extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); -extern int cap_capset_check(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); -extern void cap_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); +extern int cap_capset_check(struct task_struct *target, + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); +extern void cap_capset_set(struct task_struct *target, + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); extern int cap_bprm_set_security(struct linux_binprm *bprm); extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); extern int cap_bprm_secureexec(struct linux_binprm *bprm);
@@ -1299,13 +1305,13 @@ struct security_operations {
kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); int (*capset_check) (struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted); + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); void (*capset_set) (struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted); + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); int (*capable) (struct task_struct *tsk, int cap); int (*acct) (struct file *file); int (*sysctl) (struct ctl_table *table, int op);
@@ -1578,13 +1584,13 @@ int security_capget(struct task_struct *target,
kernel_cap_t *inheritable, kernel_cap_t *permitted); int security_capset_check(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted); + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); void security_capset_set(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted); + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); int security_capable(struct task_struct *tsk, int cap); int security_acct(struct file *file); int security_sysctl(struct ctl_table *table, int op);
@@ -1773,17 +1779,17 @@ static inline int security_capget(struct task_struct *target,
} static inline int security_capset_check(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { return cap_capset_check(target, effective, inheritable, permitted); } static inline void security_capset_set(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { cap_capset_set(target, effective, inheritable, permitted); } diff --git a/security/commoncap.c b/security/commoncap.c index e9ca98c..9dcee2f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -117,8 +117,10 @@ static inline int cap_limit_ptraced_target(void)
#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ -int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) +int cap_capset_check(struct task_struct *target, + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { if (cap_inh_is_capped() && !cap_issubset(*inheritable,
@@ -149,8 +151,10 @@ int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
return 0; } -void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) +void cap_capset_set(struct task_struct *target, + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { target->cap_effective = *effective; target->cap_inheritable = *inheritable; diff --git a/security/dummy.c b/security/dummy.c index 7230648..7fbef6a 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -61,17 +61,17 @@ static int dummy_capget (struct task_struct *target, kernel_cap_t * effective,
} static int dummy_capset_check (struct task_struct *target, - kernel_cap_t * effective, - kernel_cap_t * inheritable, - kernel_cap_t * permitted) + const kernel_cap_t * effective, + const kernel_cap_t * inheritable, + const kernel_cap_t * permitted) { return -EPERM; } static void dummy_capset_set (struct task_struct *target, - kernel_cap_t * effective, - kernel_cap_t * inheritable, - kernel_cap_t * permitted) + const kernel_cap_t * effective, + const kernel_cap_t * inheritable, + const kernel_cap_t * permitted) { return; } diff --git a/security/security.c b/security/security.c index 9391a3a..3d48604 100644 --- a/security/security.c +++ b/security/security.c
@@ -180,17 +180,18 @@ int security_capget(struct task_struct *target,
} int security_capset_check(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { - return security_ops->capset_check(target, effective, inheritable, permitted); + return security_ops->capset_check(target, + effective, inheritable, permitted); } void security_capset_set(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { security_ops->capset_set(target, effective, inheritable, permitted); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5e1ee6e..86b7618 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1790,8 +1790,10 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
return secondary_ops->capget(target, effective, inheritable, permitted); } -static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) +static int selinux_capset_check(struct task_struct *target, + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { int error;
@@ -1802,8 +1804,10 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect
return task_has_perm(current, target, PROCESS__SETCAP); } -static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) +static void selinux_capset_set(struct task_struct *target, + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) { secondary_ops->capset_set(target, effective, inheritable, permitted); } -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html