Linux 4.10 compat: has_capability()

Stock kernels older than 4.10 do not export the has_capability()
function which is required by commit e59a377.  To avoid breaking
the build on older kernels revert to the safe legacy behavior and
return EACCES when privileges cannot be checked.

Reviewed-by: Ryan Moeller <[email protected]>
Reviewed-by: Matt Ahrens <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes #10565
Closes #10573 

1 files changed, 9 insertions, 0 deletions

diff --git a/module/os/linux/zfs/policy.c b/module/os/linux/zfs/policy.c
index eaa5372f2..5267d67ee 100644
--- a/module/os/linux/zfs/policy.c
+++ b/module/os/linux/zfs/policy.c
@@ -249,13 +249,22 @@ secpolicy_zfs(const cred_t *cr)
  * Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
  * the current process.  Takes both cred_t and proc_t so that this can work
  * easily on all platforms.
+ *
+ * The has_capability() function was first exported in the 4.10 Linux kernel
+ * then backported to some LTS kernels.  Prior to this change there was no
+ * mechanism to perform this check therefore EACCES is returned when the
+ * functionality is not present in the kernel.
  */
 int
 secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
 {
+#if defined(HAVE_HAS_CAPABILITY)
 	if (!has_capability(proc, CAP_SYS_ADMIN))
 		return (EACCES);
 	return (0);
+#else
+	return (EACCES);
+#endif
 }
 
 void