[Devel] [PATCH rh7 1/3] ve/capability: introduce capable() wrapper which honors CT features

[Konstantin Khorenko]

Containers might have special features which affect capabilities,
so here is a wrapper for code simplicity.

https://jira.sw.ru/browse/PSBM-94635

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 include/linux/capability.h |  1 +
 kernel/capability.c        | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 17dd0dd7e7e8..a204f282cd65 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -214,6 +214,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t,
 extern bool capable(int cap);
 extern bool ns_capable(struct user_namespace *ns, int cap);
 extern bool ve_capable(int cap);
+extern bool feature_capable(int feature, int cap);
 extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
 
diff --git a/kernel/capability.c b/kernel/capability.c
index 29b393ec4553..fd9a523b457f 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -408,11 +408,24 @@ bool ve_capable(int cap)
 
 	return ns_capable(cred->user_ns, cap);
 }
+
+bool feature_capable(int feature, int cap)
+{
+	if (get_exec_env()->features & feature)
+		return ve_capable(cap);
+	else
+		return capable(cap);
+}
 #else
 bool ve_capable(int cap)
 {
 	return capable(cap);
 }
+
+bool feature_capable(int feature, int cap)
+{
+	return capable(cap);
+}
 #endif
 
 EXPORT_SYMBOL_GPL(ve_capable);
-- 
2.15.1