* [PATCH v2 7/8] kernel/bpf: use new capable_or functionality
[not found] ` <20220502160030.131168-1-cgzones@googlemail.com>
@ 2022-05-02 16:00 ` Christian Göttsche
0 siblings, 0 replies; only message in thread
From: Christian Göttsche @ 2022-05-02 16:00 UTC (permalink / raw)
To: selinux
Cc: Serge Hallyn, Alexei Starovoitov, Daniel Borkmann,
Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
John Fastabend, KP Singh, linux-security-module, linux-kernel,
netdev, bpf
Use the new added capable_or function in appropriate cases, where a task
is required to have any of two capabilities.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
kernel/bpf/syscall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index cdaa1152436a..95a2cf3e78c9 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2249,7 +2249,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr)
!bpf_capable())
return -EPERM;
- if (is_net_admin_prog_type(type) && !capable(CAP_NET_ADMIN) && !capable(CAP_SYS_ADMIN))
+ if (is_net_admin_prog_type(type) && !capable_or(CAP_NET_ADMIN, CAP_SYS_ADMIN))
return -EPERM;
if (is_perfmon_prog_type(type) && !perfmon_capable())
return -EPERM;
--
2.36.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-05-02 16:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20220217145003.78982-2-cgzones@googlemail.com>
[not found] ` <20220502160030.131168-1-cgzones@googlemail.com>
2022-05-02 16:00 ` [PATCH v2 7/8] kernel/bpf: use new capable_or functionality Christian Göttsche
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).