summaryrefslogtreecommitdiff
path: root/security/commoncap.c
diff options
context:
space:
mode:
authorRichard Guy Briggs <rgb@redhat.com>2017-10-11 20:57:11 -0400
committerJames Morris <james.l.morris@oracle.com>2017-10-20 15:22:45 +1100
commit02ebbaf48cf211498a9bd2c6b65e7d1b0a901807 (patch)
tree221b71178b5a3ccea7364ec5907e2a626a020fe0 /security/commoncap.c
parent9fbc2c79644a88a1cc40a2628ccff1bbbbc9ecc5 (diff)
downloadlwn-02ebbaf48cf211498a9bd2c6b65e7d1b0a901807.tar.gz
lwn-02ebbaf48cf211498a9bd2c6b65e7d1b0a901807.zip
capabilities: remove a layer of conditional logic
Remove a layer of conditional logic to make the use of conditions easier to read and analyse. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Acked-by: James Morris <james.l.morris@oracle.com> Acked-by: Kees Cook <keescook@chromium.org> Okay-ished-by: Paul Moore <paul@paul-moore.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security/commoncap.c')
-rw-r--r--security/commoncap.c23
1 files changed, 10 insertions, 13 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index d7f0cbdf04c4..eac70e2b400b 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -781,13 +781,12 @@ static inline bool nonroot_raised_pE(struct cred *cred, kuid_t root)
{
bool ret = false;
- if (__cap_grew(effective, ambient, cred)) {
- if (!__cap_full(effective, cred) ||
- !__is_eff(root, cred) || !__is_real(root, cred) ||
- !root_privileged()) {
- ret = true;
- }
- }
+ if (__cap_grew(effective, ambient, cred) &&
+ (!__cap_full(effective, cred) ||
+ !__is_eff(root, cred) ||
+ !__is_real(root, cred) ||
+ !root_privileged()))
+ ret = true;
return ret;
}
@@ -880,13 +879,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
/* Check for privilege-elevated exec. */
bprm->cap_elevated = 0;
- if (is_setid) {
+ if (is_setid ||
+ (!__is_real(root_uid, new) &&
+ (effective ||
+ __cap_grew(permitted, ambient, new))))
bprm->cap_elevated = 1;
- } else if (!__is_real(root_uid, new)) {
- if (effective ||
- __cap_grew(permitted, ambient, new))
- bprm->cap_elevated = 1;
- }
return 0;
}