* [PATCH v3 8/8] net: use new capable_any functionality
[not found] ` <20220615152623.311223-1-cgzones@googlemail.com>
@ 2022-06-15 15:26 ` Christian Göttsche
0 siblings, 0 replies; only message in thread
From: Christian Göttsche @ 2022-06-15 15:26 UTC (permalink / raw)
To: selinux
Cc: Serge Hallyn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Alexander Aring, Stefan Schmidt, Hideaki YOSHIFUJI,
David Ahern, Nikolay Aleksandrov, Stefano Garzarella,
Oliver Hartkopp, Ziyang Xuan, Pavel Begunkov, Wei Wang,
Yangbo Lu, Menglong Dong, Thomas Gleixner, Richard Palethorpe,
linux-security-module, linux-kernel, netdev, linux-wpan
Use the new added capable_any function in appropriate cases, where a
task is required to have any of two capabilities.
Reorder CAP_SYS_ADMIN last.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- rename to capable_any()
- make use of ns_capable_any
---
net/caif/caif_socket.c | 2 +-
net/core/sock.c | 12 ++++--------
net/ieee802154/socket.c | 6 ++----
net/ipv4/ip_sockglue.c | 3 +--
net/ipv6/ipv6_sockglue.c | 3 +--
net/unix/scm.c | 2 +-
6 files changed, 10 insertions(+), 18 deletions(-)
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 251e666ba9a2..2d3df7658e04 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -1036,7 +1036,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
.usersize = sizeof_field(struct caifsock, conn_req.param)
};
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN))
+ if (!capable_any(CAP_NET_ADMIN, CAP_SYS_ADMIN))
return -EPERM;
/*
* The sock->type specifies the socket type to use.
diff --git a/net/core/sock.c b/net/core/sock.c
index 2ff40dd0a7a6..6b04301982d8 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1163,8 +1163,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
case SO_PRIORITY:
if ((val >= 0 && val <= 6) ||
- ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) ||
- ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
+ ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN))
sk->sk_priority = val;
else
ret = -EPERM;
@@ -1309,8 +1308,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
clear_bit(SOCK_PASSSEC, &sock->flags);
break;
case SO_MARK:
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
- !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ if (!ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
ret = -EPERM;
break;
}
@@ -1318,8 +1316,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
__sock_set_mark(sk, val);
break;
case SO_RCVMARK:
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
- !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ if (!ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
ret = -EPERM;
break;
}
@@ -2680,8 +2677,7 @@ int __sock_cmsg_send(struct sock *sk, struct msghdr *msg, struct cmsghdr *cmsg,
switch (cmsg->cmsg_type) {
case SO_MARK:
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
- !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
+ if (!ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN))
return -EPERM;
if (cmsg->cmsg_len != CMSG_LEN(sizeof(u32)))
return -EINVAL;
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index 718fb77bb372..882483602c27 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -894,8 +894,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
ro->want_lqi = !!val;
break;
case WPAN_SECURITY:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_NET_RAW)) {
+ if (!ns_capable_any(net->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
err = -EPERM;
break;
}
@@ -918,8 +917,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
}
break;
case WPAN_SECURITY_LEVEL:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_NET_RAW)) {
+ if (!ns_capable_any(net->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
err = -EPERM;
break;
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 445a9ecaefa1..2da0a450edf6 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1339,8 +1339,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname,
break;
case IP_TRANSPARENT:
- if (!!val && !ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
- !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ if (!!val && !ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
err = -EPERM;
break;
}
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 222f6bf220ba..25babd7ce844 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -634,8 +634,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
break;
case IPV6_TRANSPARENT:
- if (valbool && !ns_capable(net->user_ns, CAP_NET_RAW) &&
- !ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+ if (valbool && !ns_capable_any(net->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
retv = -EPERM;
break;
}
diff --git a/net/unix/scm.c b/net/unix/scm.c
index aa27a02478dc..6c47baf04d7d 100644
--- a/net/unix/scm.c
+++ b/net/unix/scm.c
@@ -99,7 +99,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
struct user_struct *user = current_user();
if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
- return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+ return !capable_any(CAP_SYS_RESOURCE, CAP_SYS_ADMIN);
return false;
}
--
2.36.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-15 15:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20220502160030.131168-8-cgzones@googlemail.com>
[not found] ` <20220615152623.311223-1-cgzones@googlemail.com>
2022-06-15 15:26 ` [PATCH v3 8/8] net: use new capable_any functionality Christian Göttsche
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).