| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRyf8Jo54gnz2Nu17eHFOEqeXd3B5_HoXbz9uLYDba=HA@mail.gmail.com>
Date: Wed, 18 Dec 2024 16:31:41 -0500
From: Paul Moore <paul@...l-moore.com>
To: linux@...blig.org
Cc: serge@...lyn.com, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] capability: Remove unused has_capability
On Sun, Dec 15, 2024 at 11:54 AM <linux@...blig.org> wrote:
>
> From: "Dr. David Alan Gilbert" <linux@...blig.org>
>
> The vanilla has_capability() function has been unused since 2018's
> commit dcb569cf6ac9 ("Smack: ptrace capability use fixes")
>
> Remove it.
>
> (There is still mention in a comment in security/commoncap.c
> but I suspect rather than removing the entry it might be better
> to expand the comment to talk about the other
> has_[ns_]capability[_noaudit] variants).
I would suggest that this patch would be an excellent place to change
that comment. Without historical knowledge, the comment will be hard
to understand after this patch is merged as inspecting
has_capability() will be much more difficult, and including the
comment change with the function removal will bind the two changes
nicely in the git log.
Otherwise, this seems fine to me.
Reviewed-by: Paul Moore <paul@...l-moore.com>
> Signed-off-by: Dr. David Alan Gilbert <linux@...blig.org>
> ---
> include/linux/capability.h | 5 -----
> kernel/capability.c | 16 ----------------
> 2 files changed, 21 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 0c356a517991..1fb08922552c 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -139,7 +139,6 @@ static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
> }
>
> #ifdef CONFIG_MULTIUSER
> -extern bool has_capability(struct task_struct *t, int cap);
> extern bool has_ns_capability(struct task_struct *t,
> struct user_namespace *ns, int cap);
> extern bool has_capability_noaudit(struct task_struct *t, int cap);
> @@ -150,10 +149,6 @@ extern bool ns_capable(struct user_namespace *ns, int cap);
> extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
> extern bool ns_capable_setid(struct user_namespace *ns, int cap);
> #else
> -static inline bool has_capability(struct task_struct *t, int cap)
> -{
> - return true;
> -}
> static inline bool has_ns_capability(struct task_struct *t,
> struct user_namespace *ns, int cap)
> {
> diff --git a/kernel/capability.c b/kernel/capability.c
> index dac4df77e376..67094b628ea9 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -289,22 +289,6 @@ bool has_ns_capability(struct task_struct *t,
> return (ret == 0);
> }
>
> -/**
> - * has_capability - Does a task have a capability in init_user_ns
> - * @t: The task in question
> - * @cap: The capability to be tested for
> - *
> - * Return true if the specified task has the given superior capability
> - * currently in effect to the initial user namespace, false if not.
> - *
> - * Note that this does not set PF_SUPERPRIV on the task.
> - */
> -bool has_capability(struct task_struct *t, int cap)
> -{
> - return has_ns_capability(t, &init_user_ns, cap);
> -}
> -EXPORT_SYMBOL(has_capability);
> -
> /**
> * has_ns_capability_noaudit - Does a task have a capability (unaudited)
> * in a specific user ns.
> --
> 2.47.1
--
paul-moore.com
Powered by blists - more mailing lists