diff options
| author | Amit Pundir <amit.pundir@linaro.org> | 2016-02-18 00:20:12 +0530 |
|---|---|---|
| committer | Amit Pundir <amit.pundir@linaro.org> | 2016-02-18 00:20:12 +0530 |
| commit | 02bbd06e489a9f56910973535152d3ec47f3fdcc (patch) | |
| tree | 93a9a4d687da4d423c92cc4a82001f3792c0b259 /security/commoncap.c | |
| parent | 34f6d2c9d12a97271d55c7b204443b2da9e6c29e (diff) | |
| parent | 3d0f8b944b0ab4ec79d8d0b93d8038971095337a (diff) | |
Merge branch 'android-4.4' of https://android.googlesource.com/kernel/common
* android-4.4: (475 commits)
android: base-cfg: Add CONFIG_IP_MULTICAST
android: recommended.cfg: enable taskstats
ANDROID: android: base-cfg: disable CONFIG_SYSVIPC
android: configs: base: enable configfs gadget functions
android: add CONFIG_DEBUG_RODATA to recommended config
android: configs: remove CONFIG_BATTERY_ANDROID=y
android: configs: base: enable IPV6
android: configs: Enable SELinux and its dependencies.
android: base-cfg: disable ALARM_DEV
android: base-cfg: turn off /dev/mem and /dev/kmem
android: base-cfg: enable ARMV8_DEPRECATED and subfeatures
android: base-cfg: enforce the needed XFRM_MODE_TUNNEL (for VPN)
android: base-cfg: disable LOGGER
android: base-cfg: enable DM_VERITY (used for secureboot)
android: configs: add systrace support to recommended configs
android: configs: update 3.10 options
android: configs: Add CONFIG_NETFILTER_XT_TARGET_IDLETIMER
android: configs: add IPV6 ROUTE INFO
android: configs: add TIMER_STATS back, helps with sysrq t.
android: configs: Add HIDRAW to recommended set
...
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 1832cf701c3d..f035b84b3601 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -31,6 +31,10 @@ #include <linux/binfmts.h> #include <linux/personality.h> +#ifdef CONFIG_ANDROID_PARANOID_NETWORK +#include <linux/android_aid.h> +#endif + /* * If a non-root user executes a setuid-root binary in * !secure(SECURE_NOROOT) mode, then we raise capabilities. @@ -73,6 +77,13 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, { struct user_namespace *ns = targ_ns; +#ifdef CONFIG_ANDROID_PARANOID_NETWORK + if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) + return 0; + if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) + return 0; +#endif + /* See if cred has the capability in the target user namespace * by examining the target user namespace and all of the target * user namespace's parents. |