[PATCH] remove duplicated assignment from sys_capget.

This removes the code from cap_sysget that fills out the capability set
being returned to userspace.  The module handles this in a policy
specific way.  This updates the dummy.c module to fill in return data
according to superuser policy, and also disables setting capabilities in
superuser policy.

kernel/capability.c

@@ -63,9 +63,6 @@ asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
      } else
 	     target = current;
 
-     data.permitted = cap_t(target->cap_permitted);
-     data.inheritable = cap_t(target->cap_inheritable); 
-     data.effective = cap_t(target->cap_effective);
      ret = security_ops->capget(target, &data.effective, &data.inheritable, &data.permitted);
 
 out:

security/dummy.c

@@ -27,6 +27,17 @@ static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
 static int dummy_capget (struct task_struct *target, kernel_cap_t * effective,
 			 kernel_cap_t * inheritable, kernel_cap_t * permitted)
 {
+	*effective = *inheritable = *permitted = 0;
+	if (!issecure(SECURE_NOROOT)) {
+		if (target->euid == 0) {
+			*permitted |= (~0 & ~CAP_FS_MASK);
+			*effective |= (~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_FS_MASK);
+		}
+		if (target->fsuid == 0) {
+			*permitted |= CAP_FS_MASK;
+			*effective |= CAP_FS_MASK;
+		}
+	}
 	return 0;
 }
 
@@ -35,7 +46,7 @@ static int dummy_capset_check (struct task_struct *target,
 			       kernel_cap_t * inheritable,
 			       kernel_cap_t * permitted)
 {
-	return 0;
+	return -EPERM;
 }
 
 static void dummy_capset_set (struct task_struct *target,