Re: [PATCH V3 04/10] capabilities: use root_priveleged inline to clarify logic

Introduce inline root_privileged() to make use of SECURE_NONROOT easier to read. Suggested-by: Serge Hallyn <serge(a)hallyn.com&gt;

Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- security/commoncap.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 028d4e4..36c38a1 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -481,13 +481,13 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_f return rc; } +static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); } + void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap, bool *effective, kuid_t root_uid) { const struct cred *old = current_cred(); struct cred *new = bprm->cred; - if (issecure(SECURE_NOROOT)) - return; /* * If the legacy file capability is set, then don't set privs * for a setuid root binary run by a non-root user. Do set it @@ -544,7 +544,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) root_uid = make_kuid(new->user_ns, 0); - handle_privileged_root(bprm, has_fcap, &effective, root_uid); + if (root_privileged()) + handle_privileged_root(bprm, has_fcap, &effective, root_uid); /* if we have fs caps, clear dangerous personality flags */ if (cap_gained(permitted, new, old)) @@ -612,7 +613,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) if (cap_grew(effective, ambient, new)) { if (!cap_full(effective, new) || !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) || - issecure(SECURE_NOROOT)) { + !root_privileged()) { ret = audit_log_bprm_fcaps(bprm, new, old); if (ret < 0) return ret; -- 1.7.1