Merge branch 'for-linus' of...

kernel_cap_t cap_set_effective(const kernel_cap_t pE_new);

int capable(int cap);

int __capable(struct task_struct *t, int cap);

/**

 * has_capability - Determine if a task has a superior capability available

 * @t: The task in question

 * @cap: The capability to be tested for

 *

 * Return true if the specified task has the given superior capability

 * currently in effect, false if not.

 *

 * Note that this does not set PF_SUPERPRIV on the task.

 */

#define has_capability(t, cap) (security_capable((t), (cap)) == 0)

extern int capable(int cap);

#endif /* __KERNEL__ */

 */

extern int cap_capable(struct task_struct *tsk, int cap);

extern int cap_settime(struct timespec *ts, struct timezone *tz);

extern int cap_ptrace(struct task_struct *parent, struct task_struct *child,

		      unsigned int mode);

extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);

extern int cap_ptrace_traceme(struct task_struct *parent);

extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);

extern int cap_capset_check(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);

extern void cap_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);

 *	@alter contains the flag indicating whether changes are to be made.

 *	Return 0 if permission is granted.

 *

 * @ptrace:

 *	Check permission before allowing the @parent process to trace the

 * @ptrace_may_access:

 *	Check permission before allowing the current process to trace the

 *	@child process.

 *	Security modules may also want to perform a process tracing check

 *	during an execve in the set_security or apply_creds hooks of

 *	binprm_security_ops if the process is being traced and its security

 *	attributes would be changed by the execve.

 *	@parent contains the task_struct structure for parent process.

 *	@child contains the task_struct structure for child process.

 *	@child contains the task_struct structure for the target process.

 *	@mode contains the PTRACE_MODE flags indicating the form of access.

 *	Return 0 if permission is granted.

 * @ptrace_traceme:

 *	Check that the @parent process has sufficient permission to trace the

 *	current process before allowing the current process to present itself

 *	to the @parent process for tracing.

 *	The parent process will still have to undergo the ptrace_may_access

 *	checks before it is allowed to trace this one.

 *	@parent contains the task_struct structure for debugger process.

 *	Return 0 if permission is granted.

 * @capget:

 *	Get the @effective, @inheritable, and @permitted capability sets for

 *	the @target process.  The hook may also perform permission checking to

struct security_operations {

	char name[SECURITY_NAME_MAX + 1];

	int (*ptrace) (struct task_struct *parent, struct task_struct *child,

		       unsigned int mode);

	int (*ptrace_may_access) (struct task_struct *child, unsigned int mode);

	int (*ptrace_traceme) (struct task_struct *parent);

	int (*capget) (struct task_struct *target,

		       kernel_cap_t *effective,

		       kernel_cap_t *inheritable, kernel_cap_t *permitted);

extern void securityfs_remove(struct dentry *dentry);

/* Security operations */

int security_ptrace(struct task_struct *parent, struct task_struct *child,

		    unsigned int mode);

int security_ptrace_may_access(struct task_struct *child, unsigned int mode);

int security_ptrace_traceme(struct task_struct *parent);

int security_capget(struct task_struct *target,

		    kernel_cap_t *effective,

		    kernel_cap_t *inheritable,

	return 0;

}

static inline int security_ptrace(struct task_struct *parent,

				  struct task_struct *child,

static inline int security_ptrace_may_access(struct task_struct *child,

					     unsigned int mode)

{

	return cap_ptrace(parent, child, mode);

	return cap_ptrace_may_access(child, mode);

}

static inline int security_ptrace_traceme(struct task_struct *child)

{

	return cap_ptrace_traceme(parent);

}

static inline int security_capget(struct task_struct *target,

	return ret;

}

int __capable(struct task_struct *t, int cap)

/**

 * capable - Determine if the current task has a superior capability in effect

 * @cap: The capability to be tested for

 *

 * Return true if the current task has the given superior capability currently

 * available for use, false if not.

 *

 * This sets PF_SUPERPRIV on the task if the capability is available on the

 * assumption that it's about to be used.

 */

int capable(int cap)

{

	if (security_capable(t, cap) == 0) {

		t->flags |= PF_SUPERPRIV;

	if (has_capability(current, cap)) {

		current->flags |= PF_SUPERPRIV;

		return 1;

	}

	return 0;

}

int capable(int cap)

{

	return __capable(current, cap);

}

EXPORT_SYMBOL(capable);

	if (!dumpable && !capable(CAP_SYS_PTRACE))

		return -EPERM;

	return security_ptrace(current, task, mode);

	return security_ptrace_may_access(task, mode);

}

bool ptrace_may_access(struct task_struct *task, unsigned int mode)

			goto repeat;

		}

		ret = security_ptrace(current->parent, current,

				      PTRACE_MODE_ATTACH);

		ret = security_ptrace_traceme(current->parent);

		/*

		 * Set the ptrace bit in the process ptrace flags.

#include <linux/module.h>

#include <linux/notifier.h>

#include <linux/memcontrol.h>

#include <linux/security.h>

int sysctl_panic_on_oom;

int sysctl_oom_kill_allocating_task;

	 * Superuser processes are usually more important, so we make it

	 * less likely that we kill those.

	 */

	if (__capable(p, CAP_SYS_ADMIN) || __capable(p, CAP_SYS_RESOURCE))

	if (has_capability(p, CAP_SYS_ADMIN) ||

	    has_capability(p, CAP_SYS_RESOURCE))

		points /= 4;

	/*

	 * tend to only have this flag set on applications they think

	 * of as important.

	 */

	if (__capable(p, CAP_SYS_RAWIO))

	if (has_capability(p, CAP_SYS_RAWIO))

		points /= 4;

	/*