245 int cap_capset(struct cred *new,  in cap_capset()  argument
272 	new->cap_effective   = *effective;  in cap_capset()
273 	new->cap_inheritable = *inheritable;  in cap_capset()
274 	new->cap_permitted   = *permitted;  in cap_capset()
280 	new->cap_ambient = cap_intersect(new->cap_ambient,  in cap_capset()
283 	if (WARN_ON(!cap_ambient_invariant_ok(new)))  in cap_capset()
349 	struct cred *new = bprm->cred;  in bprm_caps_from_vfs_caps()  local
367 		new->cap_permitted.cap[i] =  in bprm_caps_from_vfs_caps()
368 			(new->cap_bset.cap[i] & permitted) |  in bprm_caps_from_vfs_caps()
369 			(new->cap_inheritable.cap[i] & inheritable);  in bprm_caps_from_vfs_caps()
371 		if (permitted & ~new->cap_permitted.cap[i])  in bprm_caps_from_vfs_caps()
492 	struct cred *new = bprm->cred;  in cap_bprm_set_creds()  local
505 	root_uid = make_kuid(new->user_ns, 0);  in cap_bprm_set_creds()
513 		if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {  in cap_bprm_set_creds()
524 		if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {  in cap_bprm_set_creds()
526 			new->cap_permitted = cap_combine(old->cap_bset,  in cap_bprm_set_creds()
529 		if (uid_eq(new->euid, root_uid))  in cap_bprm_set_creds()
535 	if (!cap_issubset(new->cap_permitted, old->cap_permitted))  in cap_bprm_set_creds()
544 	is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid);  in cap_bprm_set_creds()
547 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&  in cap_bprm_set_creds()
552 			new->euid = new->uid;  in cap_bprm_set_creds()
553 			new->egid = new->gid;  in cap_bprm_set_creds()
555 		new->cap_permitted = cap_intersect(new->cap_permitted,  in cap_bprm_set_creds()
559 	new->suid = new->fsuid = new->euid;  in cap_bprm_set_creds()
560 	new->sgid = new->fsgid = new->egid;  in cap_bprm_set_creds()
564 		cap_clear(new->cap_ambient);  in cap_bprm_set_creds()
570 	new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);  in cap_bprm_set_creds()
577 		new->cap_effective = new->cap_permitted;  in cap_bprm_set_creds()
579 		new->cap_effective = new->cap_ambient;  in cap_bprm_set_creds()
581 	if (WARN_ON(!cap_ambient_invariant_ok(new)))  in cap_bprm_set_creds()
598 	if (!cap_issubset(new->cap_effective, new->cap_ambient)) {  in cap_bprm_set_creds()
599 		if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||  in cap_bprm_set_creds()
600 		    !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||  in cap_bprm_set_creds()
602 			ret = audit_log_bprm_fcaps(bprm, new, old);  in cap_bprm_set_creds()
608 	new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);  in cap_bprm_set_creds()
610 	if (WARN_ON(!cap_ambient_invariant_ok(new)))  in cap_bprm_set_creds()
727 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)  in cap_emulate_setxuid()  argument
734 	    (!uid_eq(new->uid, root_uid) &&  in cap_emulate_setxuid()
735 	     !uid_eq(new->euid, root_uid) &&  in cap_emulate_setxuid()
736 	     !uid_eq(new->suid, root_uid))) {  in cap_emulate_setxuid()
738 			cap_clear(new->cap_permitted);  in cap_emulate_setxuid()
739 			cap_clear(new->cap_effective);  in cap_emulate_setxuid()
747 		cap_clear(new->cap_ambient);  in cap_emulate_setxuid()
749 	if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))  in cap_emulate_setxuid()
750 		cap_clear(new->cap_effective);  in cap_emulate_setxuid()
751 	if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))  in cap_emulate_setxuid()
752 		new->cap_effective = new->cap_permitted;  in cap_emulate_setxuid()
764 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)  in cap_task_fix_setuid()  argument
773 			cap_emulate_setxuid(new, old);  in cap_task_fix_setuid()
785 			if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))  in cap_task_fix_setuid()
786 				new->cap_effective =  in cap_task_fix_setuid()
787 					cap_drop_fs_set(new->cap_effective);  in cap_task_fix_setuid()
789 			if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))  in cap_task_fix_setuid()
790 				new->cap_effective =  in cap_task_fix_setuid()
791 					cap_raise_fs_set(new->cap_effective,  in cap_task_fix_setuid()
792 							 new->cap_permitted);  in cap_task_fix_setuid()
871 	struct cred *new;  in cap_prctl_drop()  local
878 	new = prepare_creds();  in cap_prctl_drop()
879 	if (!new)  in cap_prctl_drop()
881 	cap_lower(new->cap_bset, cap);  in cap_prctl_drop()
882 	return commit_creds(new);  in cap_prctl_drop()
901 	struct cred *new;  in cap_task_prctl()  local
950 		new = prepare_creds();  in cap_task_prctl()
951 		if (!new)  in cap_task_prctl()
953 		new->securebits = arg2;  in cap_task_prctl()
954 		return commit_creds(new);  in cap_task_prctl()
968 		new = prepare_creds();  in cap_task_prctl()
969 		if (!new)  in cap_task_prctl()
972 			new->securebits |= issecure_mask(SECURE_KEEP_CAPS);  in cap_task_prctl()
974 			new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);  in cap_task_prctl()
975 		return commit_creds(new);  in cap_task_prctl()
982 			new = prepare_creds();  in cap_task_prctl()
983 			if (!new)  in cap_task_prctl()
985 			cap_clear(new->cap_ambient);  in cap_task_prctl()
986 			return commit_creds(new);  in cap_task_prctl()
1005 			new = prepare_creds();  in cap_task_prctl()
1006 			if (!new)  in cap_task_prctl()
1009 				cap_raise(new->cap_ambient, arg3);  in cap_task_prctl()
1011 				cap_lower(new->cap_ambient, arg3);  in cap_task_prctl()
1012 			return commit_creds(new);  in cap_task_prctl()