capabilities: move audit log decision to function

static inline bool __is_setgid(struct cred *new, const struct cred *old)

{ return !gid_eq(new->egid, old->gid); }

/*

 * Audit candidate if current->cap_effective is set

 *

 * We do not bother to audit if 3 things are true:

 *   1) cap_effective has all caps

 *   2) we are root

 *   3) root is supposed to have all caps (SECURE_NOROOT)

 * Since this is just a normal root execing a process.

 *

 * Number 1 above might fail if you don't have a full bset, but I think

 * that is interesting information to audit.

 */

static inline bool nonroot_raised_pE(struct cred *cred, kuid_t root)

{

	bool ret = false;

	if (__cap_grew(effective, ambient, cred)) {

		if (!__cap_full(effective, cred) ||

		    !__is_eff(root, cred) || !__is_real(root, cred) ||

		    !root_privileged()) {

			ret = true;

		}

	}

	return ret;

}

/**

 * cap_bprm_set_creds - Set up the proposed credentials for execve().

 * @bprm: The execution parameters, including the proposed creds

	if (WARN_ON(!cap_ambient_invariant_ok(new)))

		return -EPERM;

	/*

	 * Audit candidate if current->cap_effective is set

	 *

	 * We do not bother to audit if 3 things are true:

	 *   1) cap_effective has all caps

	 *   2) we are root

	 *   3) root is supposed to have all caps (SECURE_NOROOT)

	 * Since this is just a normal root execing a process.

	 *

	 * Number 1 above might fail if you don't have a full bset, but I think

	 * that is interesting information to audit.

	 */

	if (__cap_grew(effective, ambient, new)) {

		if (!__cap_full(effective, new) ||

		    !__is_eff(root_uid, new) || !__is_real(root_uid, new) ||

		    !root_privileged()) {

	if (nonroot_raised_pE(new, root_uid)) {

		ret = audit_log_bprm_fcaps(bprm, new, old);

		if (ret < 0)

			return ret;

	}

	}

	new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);