linux/security/commoncap.c
<<
opti14opti14>>opoptiopti14 ">opti14opti14Searchopti14Prefs. 14opop ">oti14 4.
4 41/* Common capabilities, needed by capability.o.4 42 *4 43 *ti14 4This program is free software; you can redistribute it and/or modify4 44 *ti14 4it under the terms of the GNU General Public License as published by4 45 *ti14 4the Free Software Founda v; either verstion2 of the License, or4 46 *ti14 4(at your > v) any later verstio.4 47 *4 48 */4 49o4 8.12a>#include <linux/capability.h12a>>o4 1112a>#include <linux/audit.h12a>>o4 1212a>#include <linux/module.h12a>>o4 1312a>#include <linux/init.h12a>>o4 1412a>#include <linux/kernel.h12a>>o4 1512a>#include <linux/security.h12a>>o4 1612a>#include <linux/file.h12a>>o4 1712a>#include <linux/mm.h12a>>o4 1812a>#include <linux/mman.h12a>>o4 1912a>#include <linux/pagemap.h12a>>o4 2.12a>#include <linux/swap.h12a>>o4 2112a>#include <linux/skbuff.h12a>>o4 2212a>#include <linux/netlink.h12a>>o4 2312a>#include <linux/ptrace.h12a>>o4 2412a>#include <linux/xattr.h12a>>o4 2512a>#include <linux/hugetlb.h12a>>o4 2612a>#include <linux/mount.h12a>>o4 2712a>#include <linux/sched.h12a>>o4 2812a>#include <linux/prctl.h12a>>o4 2912a>#include <linux/securebits.h12a>>o4 3.12a>#include <linux/user_nam space.h12a>>o4 31o4 32/*4 33 *tIf a non-root user executes a setuid-root binary in4 34 *t!secure(SECURE_NOROOT) mode, then we raise capabilities.4 35 *tHowever if fE is also set, then the intent is for only4 36 *tthe file capabilities to be applied, andtthe setuid-root4 37 * bit is left on either to changetthe uid (plausible) or4 38 * to get full privilegeton a kernel without file capabilities4 39 * support. So intthat case we do not raise capabilities.4 40 *4 41 * Warn if that happens, once per boot.4 42 */4 43static void warn_setuid_and_fcaps_mixed(const char *fnam ).4 44{.4 45 static int warned;o4 46 if (!warned) {.4 47 printk(KERN_INFO "warning: `%s' has both setuid-root and"4 48 " effective capabilities. Therefore not raising all"4 49 " capabilities.\n"fnam );o4 50 warned = 1;o4 51 }o4 52}o4 53o4 54int cap_netlink_send(struct sock *sk, struct sk_buff *skb).4 55{.4 56 return 0;o4 57}o4 58o4 59int cap_netlink_recv(struct sk_buff *skb, int cap).4 60{.4 61 if (!cap_raised(current_cap(), cap)).4 62 return -EPERM;o4 63 return 0;o4 64}o4 65EXPORT_SYMBOL(cap_netlink_recv);o4 66o4 67/**4 68 * cap_capable - Determine whether a task has a particular effective capability4 69 * @tsk: The task to query4 70 * @cred: The credentials to use4 71 * @ns: The user nam space intwhich we needtthe capability4 72 * @cap: The capability to check for4 73 *t@audit: Whether to write an audit m ssagetor not4 74 *4 75 *tDetermine whether the nominatedttask has the specifiedtcapability amongst4 76 *tits effective set, returning 0 if it does, -ve if it does not.4 77 *4 78 * NOTE WELL: cap_has_capability() cannot be used liketthe kernel's capable()4 79 * andthas_capability() func vs. That is, it has the reverse semantics:4 80 * cap_has_capability() returns 0 when a task has a capability, but the4 81 * kernel's capable() andthas_capability() returns 1 for this case.4 82 */4 83int cap_capable(struct task_struct *tsk, const struct cred *cred,.4 84 struct user_nam space *targ_ns, int cap, int audit).4 85{.4 86 for (;;) {.4 87 /* The creator of the user nam space has all caps. */4 88 if (targ_ns != &init_user_ns && targ_ns->creator == cred->user).4 89 return 0;o4 90o4 91 /* Do we havetthe nec ssary capabilities? */4 92 if (targ_ns == cred->user->user_ns).4 93 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;o4 94o4 95 /* Havetwe triedtall of the parent nam spaces? */4 96 if (targ_ns == &init_user_ns).4 97 return -EPERM;o4 98o4 99 /*4100 *If you haveta capability inta parent user ns, then you have4101 * it over all children user nam spaces as well.4102 */4103 targ_ns = targ_ns->creator->user_ns;o4104 }o4105o4106 /* We never get here */4107}o4108o4109/**4110 * cap_settime - Determine whether the current proc ss may set the system clock4111 * @ts: The time to set4112 * @tz: The timezone to set4113 *4114 *tDetermine whether the current proc ss may set the system clock andttimezone4115 *tinforma v, returning 0 if permisstiongranted, -ve if denied.4116 */411712a>int cap_settime(const struct tim spec *ts, const struct tim zone *tz).411812a>{.4119 if (!capable(CAP_SYS_TIME)).4120 return -EPERM;o4121 return 0;o4122}o4123o4124/**4125 *tcap_ptrace_acc ss_check - Determine whether the current proc ss may acc ss4126 *ti14 44444444444444444444another4127 * @child: The proc ss to be acc ssed4128 * @mode: The mode of attachment.4129 *4130 * Iftwe are in the sam tor an anc stor user_ns andthavetall the target4131 * task's capabilities, then ptrace acc ss is allowed.4132 * Iftwe havetthe ptrace capability to the target user_ns, then ptrace4133 *tacc ss is allowed.4134 *tElse denied.4135 *4136 *tDetermine whether a proc ss may acc ss4another, returning 0 if permisstio4137 * granted, -ve if denied.4138 */4139int cap_ptrace_acc ss_check(struct task_struct *child, unsigned int mode).4140{.4141 int ret = 0;o4142 const struct cred *cred, *child_cred;o4143o4144 rcu_read_lock();o4145 cred = current_cred();o4146 child_cred = __task_cred(child);o4147 if (cred->user->user_ns == child_cred->user->user_ns &&o4148 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)).4149 goto out;o4150 if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)).4151 goto out;o4152 ret = -EPERM;o4153out:o4154 rcu_read_unlock();o4155 return ret;o4156}o4157o4158/**4159 * cap_ptrace_traceme - Determine whether another proc ss may trace the current4160 * @parent: The task proposed to be the tracer4161 *4162 * Iftparent is in the sam tor an anc stor user_ns andthas all current's4163 *tcapabilities, then ptrace acc ss is allowed.4164 *tIftparent has the ptrace capability to current's user_ns, then ptrace4165 *tacc ss is allowed.4166 *tElse denied.4167 *4168 * Determine whether the nominatedttask is permitted to trace the current4169 * proc ss, returning 0 if permisstionis granted, -ve if denied.4170 */4171int cap_ptrace_traceme(struct task_struct *parent).4172{.4173 int ret = 0;o4174 const struct cred *cred, *child_cred;o4175o4176 rcu_read_lock();o4177 cred = __task_cred(parent);o4178 child_cred = current_cred();o4179 if (cred->user->user_ns == child_cred->user->user_ns &&o4180 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)).4181 goto out;o4182 if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)).4183 goto out;o4184 ret = -EPERM;o4185out:o4186 rcu_read_unlock();o4187 return ret;o4188}o4189o4190/**4191 * cap_capget - Retrieveta task's capability sets4192 * @target: The task fromtwhich to retrievetthe capability sets4193 *t@effective: The place to recordtthe effective set4194 *t@inheritable: The place to recordtthe inheritable set4195 *t@permitted: The place to recordtthe permitted set4196 *4197 * This func v retrievestthe capabilities of the nominatedttask andtreturns4198 * them to the caller.4199 */4200int cap_capget(struct task_struct *target, kernel_cap_t *effective,.4201 kernel_cap_t *inheritable, kernel_cap_t *permitted).4202{.4203 const struct cred *cred;o4204o4205 /* Derivedtfromtkernel/capability.c:sys_capget. */4206 rcu_read_lock();o4207 cred = __task_cred(target);o4208 *effective = cred->cap_effective;o4209 *inheritable = cred->cap_inheritable;o4210 *permitted = cred->cap_permitted;o4211 rcu_read_unlock();o4212 return 0;o4213}o4214o4215/*4216 * Determine whether the inheritable capabilities are limited to the old4217 * permitted set. Returns 1 if they are limited, 0 if they are not.4218 */4219static inline int cap_inh_is_capped(void).4220{.4221o4222 /* they are so limited unl ss the current task has the CAP_SETPCAP4223 * capability4224 */4225 if (cap_capable(current, current_cred(),.4226 current_cred()->user->user_ns, CAP_SETPCAP,.4227 SECURITY_CAP_AUDIT) == 0).4228 return 0;o4229 return 1;o4230}o4231o4232/**4233 *tcap_capset - Validate and apply proposed changes to current's capabilities4234 *t@new: The proposed new credentials; altera vs should be made here4235 *t@old: The current task's current credentials4236 *t@effective: A pointer to the proposed new effective capabilities set4237 * @inheritable: A pointer to the proposed new inheritable capabilities set4238 *t@permitted: A pointer to the proposed new permitted capabilities set4239 *4240 * This func v validates and applies a proposed mass change to the current4241 * proc ss's capability sets. The changes are made to the proposed new4242 * credentials, and assuming no error, will be committed by the caller of LSM.4243 */4244int cap_capset(struct cred *new,.4245 const struct cred *old,.4246 const kernel_cap_t *effective,.4247 const kernel_cap_t *inheritable,.4248 const kernel_cap_t *permitted).4249{.4250 if (cap_inh_is_capped() &&o4251 !cap_issubset(*inheritable,.4252 cap_combine(old->cap_inheritable,.4253 old->cap_permitted))).4254 /* incapable of using this inheritable set */4255 return -EPERM;o4256o4257 if (!cap_issubset(*inheritable,.4258 cap_combine(old->cap_inheritable,.4259 old->cap_bset))).4260 /* no new pI capabilities outside bounding set */4261 return -EPERM;o4262o4263 /* verify restric vs on target's new Permitted set */4264 if (!cap_issubset(*permitted, old->cap_permitted)).4265 return -EPERM;o4266o4267 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */4268 if (!cap_issubset(*effective, *permitted)).4269 return -EPERM;o4270o4271 new->cap_effective = *effective;o4272 new->cap_inheritable = *inheritable;o4273 new->cap_permitted = *permitted;o4274 return 0;o4275}o4276o4277/*4278 *tClear proposed capability sets for execve().4279 */4280static inline void bprm_clear_caps(struct linux_binprm *bprm).4281{.4282 cap_clear(bprm->cred->cap_permitted);o4283 bprm->cap_effective = false;o4284}o4285o4286/**4287 * cap_inode_need_killpriv - Determine if inode change affects privileges4288 *t@dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV4289 *4290 * Determine if av inode having a change appliedtthat's marked ATTR_KILL_PRIV4291 * affects the security markings on that inode, and if it is, should4292 * inode_killpriv() be invoked or the change rejected?4293 *4294 *tReturns 0 if granted; +ve if granted, but inode_killpriv() is required; and4295 *t-ve to deny the change.4296 */429712a>int cap_inode_need_killpriv(struct dentry *dentry).429812a>{.4299 struct inode *inode = dentry->d_inode;o4300 int error;o4301o4302 if (!inode->i_op->getxattr).4303 return 0;o4304o4305 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);o4306 if (error <= 0).4307 return 0;o4308 return 1;o4309}o4310o4311/**4312 * cap_inode_killpriv - Erase the security markings on av inode4313 *t@dentry: The inode/dentry to alter4314 *4315 *tErase the privilege-enhancing security markings on av inode.4316 *4317 * Returns 0 if succ ssful, -ve on error.4318 */4319int cap_inode_killpriv(struct dentry *dentry).4320{.4321 struct inode *inode = dentry->d_inode;o4322o4323 if (!inode->i_op->removexattr).4324 return 0;o4325o4326 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);o4327}o4328o4329/*4330 * Calculate the new proc ss capability sets fromtthe capability sets attached4331 * to a file.4332 */4333static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,.4334 struct linux_binprm *bprm,.4335 bool *effective).4336{.4337 struct cred *new = bprm->cred;o4338 unsigned i;o4339 int ret = 0;o4340o4341 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE).4342 *effective = true;o4343o4344 CAP_FOR_EACH_U32(i) {.4345 __u32 permitted = caps->permitted.cap[i];o4346 __u32 inheritable = caps->inheritable.cap[i];o4347o4348 /*4349 * pP' = (X & fP) | (pI & fI)4350 */4351 new->cap_permitted.cap[i] =.4352 (new->cap_bset.cap[i] & permitted) |.4353 (new->cap_inheritable.cap[i] & inheritable);o4354o4355 if (permitted & ~new->cap_permitted.cap[i]).4356 /* insufficient to execute correctly */4357 ret = -EPERM;o4358 }o4359o4360 /*4361 * For legacy apps, with no internal support for recognizing they4362 * do not have enough capabilities, we return an error if they are4363 * missing some "forced" (aka file-permitted) capabilities.4364 */4365 return *effective ? ret : 0;o4366}o4367o4368/*4369 * Extract the on-exec-apply capability sets for an executable file.4370 */4349 * pP' = (X &commtu3curity/commoncap.c#X tosed new effectuode=cred" class="sref">ceffectuode=cred" class="sref">ceffectuode=c="comment">/*43294202{.4273 struct inode *inode = dentry->d_inode;o4344 __u32 mad_inode;o4365 unsigned dentry, i;o4306i;o4337 struct ceffectuode=cmment">/* = i;o4328o4344 (cpu_vfs_c)ritable);o4340o4341 if (!inode->i_op->gFECTIVE).4352 return -i;o4343o4344 error = inode->i_op->geillpriv(struct d)#X tosed new effectuode=cred" clas#X ref="+code=XATTR_NAME_CAPS" class="sref">XATTR_NAMEmitteable = bprm,.4335 #X ref="+XATT_SZR_NAME_CAPS" class="sXATT_SZinheritable);o4306 if (f">ret = -f">ret = -gFECTIVE).4357 */4228 return -i;o4306 if (errr <= 0).4260 /a> return i;o4301o4302 if (errrsizcoff>__u32 marmitted)).4353 return -i;o4354o4305 caps->mag>error = mag>error = e=magic_etc" clle32_to_3a>OR_EACH_U32(marsref">i;o4276o4337 if (magic_etc & perm2">4202{.4228 & 4202{.4299<2">4302 if (error = gFECTIVE).4260 /a> return -i;o4351 error = i;o4352 breaksref">i;o4303 & 4202{.4334 /a> if (error = gFECTIVE).4335 return -i;o4346 error = i;o4307 breaksref">i;o43084202{.4269 return -i;o4260<6">4366}o4301o4282 CAP_FOR_EACH_U32(i) {.4353 /a> if (caective = ).4334 breaksref">i;o4345 caps->permitted.cap[OR_EACH_U32(cap[persref">i;o4346 caps->inheritable.cap[OR_EACH_U32(cap[inheritable);o4260<6">4366}o4328o4269< return 0;o4366}o4301o4362/*4313 * Extract he on-exec-apply capability sets for an execbilitcomment">/*4294prescla, he on- * mes are made to thcmment"> * e/dentcomment">/*43154296 */4333ef="+code=kerap" turn66execlinux_binprm *bool *effective).429812a>{.4299 struct 4300 int mag>e return 0;o4321 struct ceffectuode=c="comment">/*i;o4322o4283 bprm_cleainprm *4354o4335 if (!effective).4346 return 0;o4367o4268 inprm *caps->caps->caps->magic_etc & effective).4269 return 0;o4340o4271 inode = *caps->caps->);o4322o4283 mag>e+code=kerap" turn66" claome "forced L349">4349 /a> = );o4344 inprm *mag>errri) {.4345 /a> inprm *mag>f">ret = -).4346 3">4283 rced L349">4349pr/a>rnt"> /a> 4349KERN_NOTICEpav3. ">4296quot;f%s: bprm,.4357 3">4283 4349__func__"sref maf caps->4348 else /a> inprm *mag>f">ret = -).4269 3">4283 mag>e return 0;o4260 gotomitted, i;o4351<6">4366}o4322o4283 mag>e+code=kerap" turef="+code=bprm_caps_from_vfs_caps" class="sref">bprm_caps_from_vfmitteable = effsref">i;o4344 inprm *mag>f">ret = -).4355 /a> rced L349">4349pr/a>rnt"> /a> 4349KERN_NOTICEpav3. ">4296quot;f%s: t">/ss="comme be%dbilit%s\nquot;fomment"f">bprm,.4356 /a> 4349__func__"sref maf caps->4367o, 4202{.4344 /a> );o4360 inprm *mafective).4351 bprm_cleainprm *4322o4283 return maitable);o4284}o4325o4286/**4287cmmes - Set upare made to thcmment"> * eility sets for execve().436843694370 * eilitalculaets foion contexte/dentcomment">/*4331cacmme_kil/dented,comment">/*4312 * Returns 0 if succ ssful, -ve on error.4313 */4319int cmmes"+code=caps" class=ass="s/a>cmmesOR_EA struct linux_binprm *i) {.4306< * pP' = cef="+code=cred" class="sref">cred *permitted = );o4337 struct cred *new = bprm->cred;o4348< eff">cred;o4344 int cred;o4340o4271 effective = cred;o4282 effsref">i;o4323 /a> 4334 /a> return cred;o4325o4306 !ooeff/ref">i) {.4357 */43684349 ilitals/auid roote/inary rune coalcon-rooteusero Do s/a*it privileges4350 ilitalrooteuser jusinsufcause a urtErent"oty sadminve on error.4361 comment"> */4352 /a> if (effmitteic_etc & new->eff!=> *mitteic_etc & new->eff==ri) {.4353 /a> w-> *caps->4334 gotomitted, cred;o4355 4">4284}o4346 */4287 Tono internass="srence oflroot; (akassi v vano id-rootomment"> */4368 */4349 exec-apply capabilitn e executable file.4350 table file.4361 I aonon- * /aal uid kil0apabi se"> * Eass="srefe/itutable file.4362 comment"> */4353 /a> if (new->eff==r< || if (new->eff==ri) {.4334 /a> */4335 if (new->cap_peritable = *peef">new->cf">bprm,.4346 inprm *peef">new->cap_inheritable);o4307 4">4284}o4348 /a> if (new->eff==r <= 0).4269 inprm *effective = true;o4260<6">4366}o, 4202{.4322o4353< 4364 * eunanssan err * d * apade riate "sref"ts attached4315 */4306 if (new->eff!>error = peef">new->eff|itted) |.4307 if (new->eff!>error = peef">new->eff|itted) |.4348 ! *new->cap_pef peef">new->cap_pe))*mitteic_ettted) |.4269 inprm *caps->XAT"+code=true" clLSM_UNSAFE_PTRAC">XATp_pe)ref">i) {.4260 no mor d * n err d,v vanmaybe ssa"comment"> */4351 /a> ! *eff/ref">i) {.4352 if (new->eff= if (new->efttted) |.4353 /a> w->new->eff= if (new->efttted) |.4334 6">4366}o4355 /a> new->cap_peritable = new->cap_pef">4366}o4346 peef">new->cap_pe)ttted) |.4260<6">4366}o4328o4344 new->eff= if (new->eff= if (new->efttted) |.4300 new->eff= if (new->eff= if (new->efttted) |.4301o4302 if (effective).4353 inprm *new->eff= if (new->cap_pettted) |.4334) |.4355 /a> *new->ef)ttted) |.4346 *caps->eff= if (eff">cred;o4367o4268< */4349cacef=ref="+cod kils/aomment"> */4350 */4361Wbi bothert"otyudit /a>3 thingsror ass=:omment"> */4362 1e-per=ref="+cod hail/dl spavORment"> */4363 2)pabior rootomment"> */4364 */43154296 */4287 */43684349 */4360 ! *new->ef)/ref">i) {.4351 /a> ! *new->ef)f|itted) |.4352 if (new->eff!>e< || if (new->eff!>e< ||tted) |.4353 /a> ew->ooeff/ref">i) {.4334 /a> ew->pe)ttted) |.4355 /a> /a> ew->4356 /a> return cred;o4307 4">4284}o4268<4">4284}o4284}o4300 new->effmitte=d & ~o4349as>ope)ttted) |.4351< return 0;o4284}o4343o4364/**4315428642874368it /s,v van0ts attached436943704331 * e * dbeen comef">cae cothisepoila, hvanooior no longertable file.4312cacmmeutable file.4313 */4319int linux_binprm *i) {.4306< * pP' = cef="+code=cred" class="sref">cred *);o4367o4268 inprm *new->eff!>ei) {.4269 /a> inprm *caps->ef)f">i) {.4260 /a> 1itable);o4351 /a> ! *new->cap_pe))table);o4352 1itable);o4323<4">4284}o4354o4355< ainprm *new->eff!>error = new->eff||tted) |.4346 new->eff!>error = new->efritable);o4284}o4328o4349/**4350/**4361/**4312/**4313/**4294/**4315/**4286/**4287ontanbin/**4368/coimeutable file.4349/**4350 cothos=omment">/**43614362 */4319int cred *4366}o4334 /a> voidf">cred *4319int ma)table);oi) {.4306 ! *eff/ref">i) {.4307 /a> ! *);o4348 5">4355< >ret = -cred;o4269 return 0;o4260<6">4366}o4301o4302 ! *4366}o4353 /a> siz=ofainprm *) |.4334 ! *);o4355 >ret = -cred;o4306< return 0;o4284}o4328o4349/**4350/**4361/**4312/**4313/**4294/**43154286/**4287/**43684349 */4319int cred *i) {.4302 ! *eff/ref">i) {.4353 /a> ! *);o4334 /a> >ret = -cred;o4355 return 0;o4346<4">4284}o4367o4268 ! *4366}o4269 siz=ofainprm *) |.4260 ! *);o4351 >ret = -cred;o4302< return 0;o4284}o4354o4315 */4296ca exec-applies>oRomment">/**42874368 */4349/**4350ca hvanass="srefeexec-applies>ar=omment">/**436143124313ble file.429443154296ble file.4287ar= se"> oare masref">ca exec-appliesutable file.4368 */4349/**4350436143124313/**4364/**4315 oakeep itseexec-applies>ween f"ts attached4286ca hvats attached42874368ble file.4369ble file.4370ble file.433143124313 */->int cred *cred *pe)> */i) {.4306 if (peef">new->eff==r< || if (peef">new->eff==r< || if (peef">new->eff=>e) |.4307 ainprm *new->eff!=> *mitteic_etc & new->eff!=> *mitteic_etc & new->eff!>e) |.4348 !oope)/ref">i) {.4269 319int *new->cap_pe)ttted) |.4260 319int *new->ef)ttted) |.4351<4">4284}o4302 if (peef">new->eff==r< mitteic_etc & new->eff!=> )> */4353 inprm * *new->ef)ttted) |.4302 if (peef">new->eff!=> *mitteic_etc & new->eff==r <= 0).4355 inprm *new->eff= if (new->cap_pettted) |.4284}o4367o4368/**4349/**4350 * omment">/**4361 * omment">/**4312/**4313/**4294 *lchanges>ar=omment">/**43154286 */4319int cred *cred *pef 9">4319int ma)table);oi) {.4269 if (ma)ref">i) {.4260int 4202{.4260int 4202{.4260int 4202{.4353 i">4368unanssomment"> */4364 */4355 /a> !oo);o4356 319int cred *pe)ttted) |.4307 breakttted) |.4328o4269int 4202{.4260 unanssomment"> */4361 */4362 */4363 */4364 */4315 */4356 /a> !ooi) {.4307 /a> /a> if (peef">new->eff==> *mitteic_etc & new->eff!=> )> */4348 5">4355<<<<<<<< *new->eff=> */4269 5">4355<<<<<<<< * *new->ef)ttted) |.) |.4351 /a> /a> if (peef">new->eff!=> *mitteic_etc & new->eff==> )> */4352 <<<<<<< *new->eff=> */4353 /a> 5">4355<<<<<<<< * *new->eff">4366}o4334 /a> /a> 5">4355<<<<<<<< *new->cap_pe)ttted) |.4355 4">4284}o4356 breakttted) |.4367o43484202{.4269 >ret = -) |.4260<6">4366}o4301o4302< return 0;o4284}o4354o4315 */428642874368 */4349 tcsscap_(ass=sys_nice),abut acoir ron>your ownmadens 0es,omment"> */4350 */4331 */431243134294 */4319int cred *ma)table);oi) {.4307<9">4319int ) |.4328o4269<319int 4349rcu_read_locrOR_EA)ttted) |.4300 = * *ma)ef">new->cap_pef">4366}o4351 /a> <<<<<<<< *new->cap_pe)ttted) |.4269<319int 4349rcu_read_unlocrOR_EA)ttted) |.4343o4334 ! *);o4355 >ret = -cred;o4306< return 0;o4284}o4328o4349/**4350acheduler policylchangeekil"sref">cap_ment">/**4361/**4312/**4313 * /aques>ca acheduler policylchangeekil"sref">cahilit * p_ment">/**43644315 */4319int cred *ma)table);oi) {.4306< 319int cred *ma) return 0;o4284}o) |.4331/**4312I/O tEro hrelchangeekil"sref">cap_ment">/**4313/**4294/**43154286 * /aques>ca I/O tEro hrelchangeekil"sref">cahilit * cspecifiedtable file.42874368 */4319int cred *maf 9">4319int );oi) {.4351< 319int cred *ma) return 0;o4284}o4343o4294/**4315task>tEro hrelchangeekil"sref">cap_ment">/**4286/**4287/**43684349 * /aques>ca task>tEro hrelchangeekil"sref">cahilit * p_ment">/**43504361 */4319int cred *maf 9">4319int );oi) {.4351< 319int cred *ma) return 0;o4284}o4284}o4287 */4368cmptntoiremovel * cspecifiedncxec-apply ss="omment"> */43494350 */->cred *);oi) {.4353 ! *);o4334 >ret = -cred;o4355 ! *);o4356 >ret = -) |.4367o4348< ! *new->) |.4269< return 0;o4284}o4301o4362/**4363ilit *isa3./**4364/**4315/**4286/**4287/**4368"otother funcoions> totherwiselimple claednhere.omment"> */4349/**4350/**4361/**4312 */4313 */4319int 4319int 4366}o4355 unsignednlontlew->);oi) {.4307< struct cred *4348->4300 ) |.4351 !4352 >ret = -4343o4334 if (i) {.4355int 4202{.4356 ew->ret = -) |.4307 /a> ! *4348 5">4355->) |.4269 ew-> *new->4260 355->) |.4301o4260int 4202{.4353 inprm *->4334 /a> if ( )> */4355 4355->) |.4356 go"otew->) |.4367o4348< ">4287 */4349ist withltransioionor raomment"> */4350 */4361ar= tinluo )>"ota system usor rexecsystemomment"> */4312onon--t/artheaPOSIX.1e draf tintendmeutable file.43134294431542964287o4368o4349o4350o4361o431243134364/**43154286 */4307int 4202{.4348 ew->ret = -cred;o4269 /a> if (new-> & nf">n 1)> */4260 355<<<<<<&c_etc if (new->cred *4260 355<<<<<< 8< ">4287 */4351 /a> ||> if (new-> & ">4287 */4352 ||> >cred * ">4287 */4353 /a> ||> >cred * *cred *4366}o4334 /a> /a>>cred *new->new->cred *4366}o4355 4355< /a>>cred *e /a>>">4287 */4356 3">4287 */4287 *a">ar= locrcaomment"> */436843494350 */43614362 */4353 /a> )> */4334 /a> */4355 go"otew->) |.4356 ew->new->->4307 go"otew->) |.4328o4269int 4202{.4260 nprm *->new->) |.4351 go"otew->) |.) |.4269int 4202{.4334 /a> if (oo);o4355 nprm *) |.4356 go"otew->) |.4367o4269int 4202{.4269 ew->ret = -) |.4260 /a> if (n 1) */4351 /a> go"otew->) |.4352 ew->ret = -cred;o4353 /a> if (oo);o4334 /a> go"otew->) |.4355 /a> >cred *4356 319int new->->oo) |.4307 elsetted) |.4348 5">4355< if (new->cred *oo) |.4269 go"otew->) |.) |.43514202{.4352 e */4353 inprm *ret = -) |.4334 go"otew->) |.4355<4">4284}o4284}o4307 */->4202{.4269< 8w->) |.->4202{.->4202{.4353<>cred *4334< 8w->) |.4284}o4284}o4287 */4368cap_ment">/**43494cetinlwhich *@dass mappor rkil"otbe mad=omment">/**4350/**4361/**4312/**4363ca,< entl * Rc (akassi /s grantse,noautable file.4294 */4319int cred *->i) {.4307<9">4319int 4328o4269 >cred * *cred *cred *cred *4366}o4260 355<3">4353<>cred * )> */4351 319int ) |.4260< 8w-> *->) |.4284}o4284}o4315 */4286 */4287/**4368/**4349/**4350/**4361cmptor rtotbe mappcap_ment">/**4312/**4313 */4294cmptor rtotmap memory below dac_mmap_m5"_addr/**4315/**4296 *isamappor rshouldtbe /dlowcap_ment">/**4287noautable file.4368 */4319int cred *->4366}o4260 355<3"unsignednlontlew->->4366}o4351 /aunsignednlontlew->->i) {.43534319int 4284}o4355 ew->ew->i) {.4356 ew->cred * *cred *cred *cred *4366}o4307 0 355<3">4353<>cred *4348 e */4269 /a> ew-> )> */4260 355<<<<<<53<>cred *new->->) |.4351<4">4284}o4260< 8w->) |.4284}o
*t@doriginal LXR softwar= byd *@d>4284http://sourceforge.net/projects/lxr">LXR ="seunityp_pef *isaexperi claal veriion byd>4284mailto:lxr@74"ux.no">lxr@74"ux.nop_pe.
lxr.74"ux.no kindly hos>ca byd>4284http://www.ef=pill-74"pro.no">Rf=pill L4"pro ASp_pef providerrof L4"ux ultor rand operaoions>s rvins since 1995.