Lines Matching full:new
233 * @new: The proposed new credentials; alterations should be made here
235 * @effective: A pointer to the proposed new effective capabilities set
236 * @inheritable: A pointer to the proposed new inheritable capabilities set
237 * @permitted: A pointer to the proposed new permitted capabilities set
240 * process's capability sets. The changes are made to the proposed new
243 int cap_capset(struct cred *new, in cap_capset() argument
259 /* no new pI capabilities outside bounding set */ in cap_capset()
262 /* verify restrictions on target's new Permitted set */ in cap_capset()
270 new->cap_effective = *effective; in cap_capset()
271 new->cap_inheritable = *inheritable; in cap_capset()
272 new->cap_permitted = *permitted; in cap_capset()
278 new->cap_ambient = cap_intersect(new->cap_ambient, in cap_capset()
281 if (WARN_ON(!cap_ambient_invariant_ok(new))) in cap_capset()
528 * Return: On success, return the new size; on error, return < 0.
584 * Calculate the new process capability sets from the capability sets attached
592 struct cred *new = bprm->cred; in bprm_caps_from_vfs_caps() local
605 new->cap_permitted.val = in bprm_caps_from_vfs_caps()
606 (new->cap_bset.val & caps->permitted.val) | in bprm_caps_from_vfs_caps()
607 (new->cap_inheritable.val & caps->inheritable.val); in bprm_caps_from_vfs_caps()
609 if (caps->permitted.val & ~new->cap_permitted.val) in bprm_caps_from_vfs_caps()
793 struct cred *new = bprm->cred; in handle_privileged_root() local
802 if (has_fcap && __is_suid(root_uid, new)) { in handle_privileged_root()
811 if (__is_eff(root_uid, new) || __is_real(root_uid, new)) { in handle_privileged_root()
813 new->cap_permitted = cap_combine(old->cap_bset, in handle_privileged_root()
819 if (__is_eff(root_uid, new)) in handle_privileged_root()
830 static inline bool __is_setuid(struct cred *new, const struct cred *old) in __is_setuid() argument
831 { return !uid_eq(new->euid, old->uid); } in __is_setuid()
833 static inline bool __is_setgid(struct cred *new, const struct cred *old) in __is_setgid() argument
834 { return !gid_eq(new->egid, old->gid); } in __is_setgid()
853 static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old, in nonroot_raised_pE() argument
858 if ((__cap_grew(effective, ambient, new) && in nonroot_raised_pE()
859 !(__cap_full(effective, new) && in nonroot_raised_pE()
860 (__is_eff(root, new) || __is_real(root, new)) && in nonroot_raised_pE()
863 __is_suid(root, new) && in nonroot_raised_pE()
864 !__cap_full(effective, new)) || in nonroot_raised_pE()
865 (!__is_setuid(new, old) && in nonroot_raised_pE()
867 __cap_gained(permitted, new, old)) || in nonroot_raised_pE()
868 __cap_gained(ambient, new, old)))) in nonroot_raised_pE()
880 * Set up the proposed credentials for a new execution context being
890 struct cred *new = bprm->cred; in cap_bprm_creds_from_file() local
902 root_uid = make_kuid(new->user_ns, 0); in cap_bprm_creds_from_file()
907 if (__cap_gained(permitted, new, old)) in cap_bprm_creds_from_file()
913 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs. in cap_bprm_creds_from_file()
915 is_setid = __is_setuid(new, old) || __is_setgid(new, old); in cap_bprm_creds_from_file()
917 if ((is_setid || __cap_gained(permitted, new, old)) && in cap_bprm_creds_from_file()
919 !ptracer_capable(current, new->user_ns))) { in cap_bprm_creds_from_file()
921 if (!ns_capable(new->user_ns, CAP_SETUID) || in cap_bprm_creds_from_file()
923 new->euid = new->uid; in cap_bprm_creds_from_file()
924 new->egid = new->gid; in cap_bprm_creds_from_file()
926 new->cap_permitted = cap_intersect(new->cap_permitted, in cap_bprm_creds_from_file()
930 new->suid = new->fsuid = new->euid; in cap_bprm_creds_from_file()
931 new->sgid = new->fsgid = new->egid; in cap_bprm_creds_from_file()
935 cap_clear(new->cap_ambient); in cap_bprm_creds_from_file()
941 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient); in cap_bprm_creds_from_file()
948 new->cap_effective = new->cap_permitted; in cap_bprm_creds_from_file()
950 new->cap_effective = new->cap_ambient; in cap_bprm_creds_from_file()
952 if (WARN_ON(!cap_ambient_invariant_ok(new))) in cap_bprm_creds_from_file()
955 if (nonroot_raised_pE(new, old, root_uid, has_fcap)) { in cap_bprm_creds_from_file()
956 ret = audit_log_bprm_fcaps(bprm, new, old); in cap_bprm_creds_from_file()
961 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); in cap_bprm_creds_from_file()
963 if (WARN_ON(!cap_ambient_invariant_ok(new))) in cap_bprm_creds_from_file()
968 (!__is_real(root_uid, new) && in cap_bprm_creds_from_file()
970 __cap_grew(permitted, ambient, new)))) in cap_bprm_creds_from_file()
1075 * cevans - New behaviour, Oct '99
1085 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) in cap_emulate_setxuid() argument
1092 (!uid_eq(new->uid, root_uid) && in cap_emulate_setxuid()
1093 !uid_eq(new->euid, root_uid) && in cap_emulate_setxuid()
1094 !uid_eq(new->suid, root_uid))) { in cap_emulate_setxuid()
1096 cap_clear(new->cap_permitted); in cap_emulate_setxuid()
1097 cap_clear(new->cap_effective); in cap_emulate_setxuid()
1105 cap_clear(new->cap_ambient); in cap_emulate_setxuid()
1107 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid)) in cap_emulate_setxuid()
1108 cap_clear(new->cap_effective); in cap_emulate_setxuid()
1109 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid)) in cap_emulate_setxuid()
1110 new->cap_effective = new->cap_permitted; in cap_emulate_setxuid()
1115 * @new: The proposed credentials
1124 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) in cap_task_fix_setuid() argument
1133 cap_emulate_setxuid(new, old); in cap_task_fix_setuid()
1145 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid)) in cap_task_fix_setuid()
1146 new->cap_effective = in cap_task_fix_setuid()
1147 cap_drop_fs_set(new->cap_effective); in cap_task_fix_setuid()
1149 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid)) in cap_task_fix_setuid()
1150 new->cap_effective = in cap_task_fix_setuid()
1151 cap_raise_fs_set(new->cap_effective, in cap_task_fix_setuid()
1152 new->cap_permitted); in cap_task_fix_setuid()
1237 struct cred *new; in cap_prctl_drop() local
1244 new = prepare_creds(); in cap_prctl_drop()
1245 if (!new) in cap_prctl_drop()
1247 cap_lower(new->cap_bset, cap); in cap_prctl_drop()
1248 return commit_creds(new); in cap_prctl_drop()
1270 struct cred *new; in cap_task_prctl() local
1320 new = prepare_creds(); in cap_task_prctl()
1321 if (!new) in cap_task_prctl()
1323 new->securebits = arg2; in cap_task_prctl()
1324 return commit_creds(new); in cap_task_prctl()
1338 new = prepare_creds(); in cap_task_prctl()
1339 if (!new) in cap_task_prctl()
1342 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); in cap_task_prctl()
1344 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); in cap_task_prctl()
1345 return commit_creds(new); in cap_task_prctl()
1352 new = prepare_creds(); in cap_task_prctl()
1353 if (!new) in cap_task_prctl()
1355 cap_clear(new->cap_ambient); in cap_task_prctl()
1356 return commit_creds(new); in cap_task_prctl()
1375 new = prepare_creds(); in cap_task_prctl()
1376 if (!new) in cap_task_prctl()
1379 cap_raise(new->cap_ambient, arg3); in cap_task_prctl()
1381 cap_lower(new->cap_ambient, arg3); in cap_task_prctl()
1382 return commit_creds(new); in cap_task_prctl()
1392 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1393 * @mm: The VM space in which the new mapping is to be made
1396 * Determine whether the allocation of a new virtual mapping by the current