/** * aa_capable - test permission to use capability * @task: task doing capability test against (NOT NULL) * @profile: profile confining @task (NOT NULL) * @cap: capability to be tested * @audit: whether an audit record should be generated * * Look up capability in profile capability set. * * Returns: 0 on success, or else an error code. */ int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, int audit) { int error = profile_capable(profile, cap); if (!audit) { if (COMPLAIN_MODE(profile)) return complain_error(error); return error; } return audit_caps(profile, task, cap, error); }
/** * profile_capable - test if profile allows use of capability @cap * @profile: profile being enforced (NOT NULL, NOT unconfined) * @cap: capability to test if allowed * @sa: audit data (MAY BE NULL indicating no auditing) * * Returns: 0 if allowed else -EPERM */ static int profile_capable(struct aa_profile *profile, int cap, struct common_audit_data *sa) { int error; if (cap_raised(profile->caps.allow, cap) && !cap_raised(profile->caps.denied, cap)) error = 0; else error = -EPERM; if (!sa) { if (COMPLAIN_MODE(profile)) return complain_error(error); return error; } return audit_caps(sa, profile, cap, error); }
/** * profile_capable - test if profile allows use of capability @cap * @profile: profile being enforced (NOT NULL, NOT unconfined) * @cap: capability to test if allowed * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated * @sa: audit data (MAY BE NULL indicating no auditing) * * Returns: 0 if allowed else -EPERM */ static int profile_capable(struct aa_profile *profile, int cap, unsigned int opts, struct common_audit_data *sa) { int error; if (cap_raised(profile->caps.allow, cap) && !cap_raised(profile->caps.denied, cap)) error = 0; else error = -EPERM; if (opts & CAP_OPT_NOAUDIT) { if (!COMPLAIN_MODE(profile)) return error; /* audit the cap request in complain mode but note that it * should be optional. */ aad(sa)->info = "optional: no audit"; } return audit_caps(sa, profile, cap, error); }