3.8-stable patches

added patches:
	add-file_ns_capable-helper-function-for-open-time-capability-checking.patch

diff --git a/queue-3.8/add-file_ns_capable-helper-function-for-open-time-capability-checking.patch b/queue-3.8/add-file_ns_capable-helper-function-for-open-time-capability-checking.patch
new file mode 100644 (file)
index 0000000..7dbfbe1
--- /dev/null
+++ b/queue-3.8/add-file_ns_capable-helper-function-for-open-time-capability-checking.patch
@@ -0,0 +1,75 @@
+From 935d8aabd4331f47a89c3e1daa5779d23cf244ee Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 14 Apr 2013 10:06:31 -0700
+Subject: Add file_ns_capable() helper function for open-time capability checking
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 935d8aabd4331f47a89c3e1daa5779d23cf244ee upstream.
+
+Nothing is using it yet, but this will allow us to delay the open-time
+checks to use time, without breaking the normal UNIX permission
+semantics where permissions are determined by the opener (and the file
+descriptor can then be passed to a different process, or the process can
+drop capabilities).
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Shea Levy <shea@shealevy.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/capability.h |    2 ++
+ kernel/capability.c        |   24 ++++++++++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -35,6 +35,7 @@ struct cpu_vfs_cap_data {
+ #define _KERNEL_CAP_T_SIZE     (sizeof(kernel_cap_t))
+ 
+ 
++struct file;
+ struct inode;
+ struct dentry;
+ struct user_namespace;
+@@ -211,6 +212,7 @@ extern bool capable(int cap);
+ extern bool ns_capable(struct user_namespace *ns, int cap);
+ extern bool nsown_capable(int cap);
+ extern bool inode_capable(const struct inode *inode, int cap);
++extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
+ 
+ /* audit system wants to get cap info from files as well */
+ extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
+--- a/kernel/capability.c
++++ b/kernel/capability.c
+@@ -393,6 +393,30 @@ bool ns_capable(struct user_namespace *n
+ EXPORT_SYMBOL(ns_capable);
+ 
+ /**
++ * file_ns_capable - Determine if the file's opener had a capability in effect
++ * @file:  The file we want to check
++ * @ns:  The usernamespace we want the capability in
++ * @cap: The capability to be tested for
++ *
++ * Return true if task that opened the file had a capability in effect
++ * when the file was opened.
++ *
++ * This does not set PF_SUPERPRIV because the caller may not
++ * actually be privileged.
++ */
++bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap)
++{
++      if (WARN_ON_ONCE(!cap_valid(cap)))
++              return false;
++
++      if (security_capable(file->f_cred, ns, cap) == 0)
++              return true;
++
++      return false;
++}
++EXPORT_SYMBOL(file_ns_capable);
++
++/**
+  * capable - Determine if the current task has a superior capability in effect
+  * @cap: The capability to be tested for
+  *

diff --git a/queue-3.8/series b/queue-3.8/series
new file mode 100644 (file)
index 0000000..d3eae46
--- /dev/null
+++ b/queue-3.8/series
@@ -0,0 +1 @@
+add-file_ns_capable-helper-function-for-open-time-capability-checking.patch