CRED: Constify the kernel_cap_t arguments to the capset LSM hooks

Constify the kernel_cap_t arguments to the capset LSM hooks.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/include/linux/security.h b/include/linux/security.h
index d1ce8beddbd778292afff9c0db23b6a288f2ecbd..9f305d4a31a7c0babe80883fa8d36e9881302783 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,8 +53,12 @@ extern int cap_settime(struct timespec *ts, struct timezone *tz);
 extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
 extern int cap_ptrace_traceme(struct task_struct *parent);
 extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
-extern int cap_capset_check(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
-extern void cap_capset_set(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
+extern int cap_capset_check(const kernel_cap_t *effective,
+                           const kernel_cap_t *inheritable,
+                           const kernel_cap_t *permitted);
+extern void cap_capset_set(const kernel_cap_t *effective,
+                          const kernel_cap_t *inheritable,
+                          const kernel_cap_t *permitted);
 extern int cap_bprm_set_security(struct linux_binprm *bprm);
 extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
@@ -1293,12 +1297,12 @@ struct security_operations {
        int (*capget) (struct task_struct *target,
                       kernel_cap_t *effective,
                       kernel_cap_t *inheritable, kernel_cap_t *permitted);
-       int (*capset_check) (kernel_cap_t *effective,
-                            kernel_cap_t *inheritable,
-                            kernel_cap_t *permitted);
-       void (*capset_set) (kernel_cap_t *effective,
-                           kernel_cap_t *inheritable,
-                           kernel_cap_t *permitted);
+       int (*capset_check) (const kernel_cap_t *effective,
+                            const kernel_cap_t *inheritable,
+                            const kernel_cap_t *permitted);
+       void (*capset_set) (const kernel_cap_t *effective,
+                           const kernel_cap_t *inheritable,
+                           const kernel_cap_t *permitted);
        int (*capable) (struct task_struct *tsk, int cap, int audit);
        int (*acct) (struct file *file);
        int (*sysctl) (struct ctl_table *table, int op);
@@ -1560,12 +1564,12 @@ int security_capget(struct task_struct *target,
                    kernel_cap_t *effective,
                    kernel_cap_t *inheritable,
                    kernel_cap_t *permitted);
-int security_capset_check(kernel_cap_t *effective,
-                         kernel_cap_t *inheritable,
-                         kernel_cap_t *permitted);
-void security_capset_set(kernel_cap_t *effective,
-                        kernel_cap_t *inheritable,
-                        kernel_cap_t *permitted);
+int security_capset_check(const kernel_cap_t *effective,
+                         const kernel_cap_t *inheritable,
+                         const kernel_cap_t *permitted);
+void security_capset_set(const kernel_cap_t *effective,
+                        const kernel_cap_t *inheritable,
+                        const kernel_cap_t *permitted);
 int security_capable(struct task_struct *tsk, int cap);
 int security_capable_noaudit(struct task_struct *tsk, int cap);
 int security_acct(struct file *file);
@@ -1755,16 +1759,16 @@ static inline int security_capget(struct task_struct *target,
        return cap_capget(target, effective, inheritable, permitted);
 }
 
-static inline int security_capset_check(kernel_cap_t *effective,
-                                       kernel_cap_t *inheritable,
-                                       kernel_cap_t *permitted)
+static inline int security_capset_check(const kernel_cap_t *effective,
+                                       const kernel_cap_t *inheritable,
+                                       const kernel_cap_t *permitted)
 {
        return cap_capset_check(effective, inheritable, permitted);
 }
 
-static inline void security_capset_set(kernel_cap_t *effective,
-                                      kernel_cap_t *inheritable,
-                                      kernel_cap_t *permitted)
+static inline void security_capset_set(const kernel_cap_t *effective,
+                                      const kernel_cap_t *inheritable,
+                                      const kernel_cap_t *permitted)
 {
        cap_capset_set(effective, inheritable, permitted);
 }

diff --git a/security/commoncap.c b/security/commoncap.c
index e3f36ef629fabd095269cf6a4fc8a1aef2ed69d1..fb4e240720d8639e62899c5e00c10ae66b2f245b 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -118,8 +118,9 @@ static inline int cap_limit_ptraced_target(void)
 
 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
 
-int cap_capset_check (kernel_cap_t *effective,
-                     kernel_cap_t *inheritable, kernel_cap_t *permitted)
+int cap_capset_check(const kernel_cap_t *effective,
+                    const kernel_cap_t *inheritable,
+                    const kernel_cap_t *permitted)
 {
        if (cap_inh_is_capped()
            && !cap_issubset(*inheritable,
@@ -150,8 +151,9 @@ int cap_capset_check (kernel_cap_t *effective,
        return 0;
 }
 
-void cap_capset_set (kernel_cap_t *effective,
-                    kernel_cap_t *inheritable, kernel_cap_t *permitted)
+void cap_capset_set(const kernel_cap_t *effective,
+                   const kernel_cap_t *inheritable,
+                   const kernel_cap_t *permitted)
 {
        current->cap_effective = *effective;
        current->cap_inheritable = *inheritable;

diff --git a/security/security.c b/security/security.c
index dca37381e2a7122ecee1446b09da8e2fd138beee..81c956a12300d3767ac586bfe75751aea1c08b78 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -145,16 +145,16 @@ int security_capget(struct task_struct *target,
        return security_ops->capget(target, effective, inheritable, permitted);
 }
 
-int security_capset_check(kernel_cap_t *effective,
-                         kernel_cap_t *inheritable,
-                         kernel_cap_t *permitted)
+int security_capset_check(const kernel_cap_t *effective,
+                         const kernel_cap_t *inheritable,
+                         const kernel_cap_t *permitted)
 {
        return security_ops->capset_check(effective, inheritable, permitted);
 }
 
-void security_capset_set(kernel_cap_t *effective,
-                        kernel_cap_t *inheritable,
-                        kernel_cap_t *permitted)
+void security_capset_set(const kernel_cap_t *effective,
+                        const kernel_cap_t *inheritable,
+                        const kernel_cap_t *permitted)
 {
        security_ops->capset_set(effective, inheritable, permitted);
 }

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index df9986940e9cffae0f020d3487559c21cecd7c5b..9f6da154cc82cd0ec3e118cfe6a6fb03ae8c254c 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1790,8 +1790,9 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
        return secondary_ops->capget(target, effective, inheritable, permitted);
 }
 
-static int selinux_capset_check(kernel_cap_t *effective,
-                               kernel_cap_t *inheritable, kernel_cap_t *permitted)
+static int selinux_capset_check(const kernel_cap_t *effective,
+                               const kernel_cap_t *inheritable,
+                               const kernel_cap_t *permitted)
 {
        int error;
 
@@ -1802,8 +1803,9 @@ static int selinux_capset_check(kernel_cap_t *effective,
        return task_has_perm(current, current, PROCESS__SETCAP);
 }
 
-static void selinux_capset_set(kernel_cap_t *effective,
-                              kernel_cap_t *inheritable, kernel_cap_t *permitted)
+static void selinux_capset_set(const kernel_cap_t *effective,
+                              const kernel_cap_t *inheritable,
+                              const kernel_cap_t *permitted)
 {
        secondary_ops->capset_set(effective, inheritable, permitted);
 }