diff options
author | Andrey Konovalov <andrey.konovalov@linaro.org> | 2012-02-17 22:00:57 +0400 |
---|---|---|
committer | Andrey Konovalov <andrey.konovalov@linaro.org> | 2012-02-17 22:00:57 +0400 |
commit | 8393ea14076dbda27010fcabcff5e2d40f0bfb1f (patch) | |
tree | a980405258207f6a0d0edfc78ae07fb652bf54e1 /security/commoncap.c | |
parent | 49561d58a14351d136518f25bd686f9a6ca41b69 (diff) | |
parent | 1a20977eb1ba05d3e1a20f1e81a830a876fdb054 (diff) |
Merge branch 'linaro-android-3.3-agreen-rebase' into linaro-android
Diffstat (limited to 'security/commoncap.c')
-rw-r--r-- | security/commoncap.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 7ce191ea29a..8013b08adc9 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -29,6 +29,8 @@ #include <linux/securebits.h> #include <linux/user_namespace.h> +#include <linux/android_aid.h> + /* * If a non-root user executes a setuid-root binary in * !secure(SECURE_NOROOT) mode, then we raise capabilities. @@ -74,6 +76,11 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb) int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, int cap, int audit) { + if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) + return 0; + if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) + return 0; + for (;;) { /* The creator of the user namespace has all caps. */ if (targ_ns != &init_user_ns && targ_ns->creator == cred->user) |