From: "Christian Göttsche" <cgzones@googlemail.com>
To: linux-security-module@vger.kernel.org
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Alexander Aring <alex.aring@gmail.com>,
Stefan Schmidt <stefan@datenfreihafen.org>,
David Ahern <dsahern@kernel.org>,
David Howells <dhowells@redhat.com>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Abel Wu <wuyun.abel@bytedance.com>,
Breno Leitao <leitao@debian.org>,
Alexander Mikhalitsyn <alexander@mihalicyn.com>,
John Fastabend <john.fastabend@gmail.com>,
Daan De Meyer <daan.j.demeyer@gmail.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-wpan@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH 08/10] net: use new capable_any functionality
Date: Fri, 15 Mar 2024 12:37:29 +0100 [thread overview]
Message-ID: <20240315113828.258005-8-cgzones@googlemail.com> (raw)
In-Reply-To: <20240315113828.258005-1-cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a
task is required to have any of two capabilities.
Add sock_ns_capable_any() wrapper similar to existing sock_ns_capable()
one.
Reorder CAP_SYS_ADMIN last.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> (ieee802154 portion)
---
v4:
- introduce sockopt_ns_capable_any()
v3:
- rename to capable_any()
- make use of ns_capable_any
---
include/net/sock.h | 1 +
net/caif/caif_socket.c | 2 +-
net/core/sock.c | 15 +++++++++------
net/ieee802154/socket.c | 6 ++----
net/ipv4/ip_sockglue.c | 5 +++--
net/ipv6/ipv6_sockglue.c | 3 +--
net/unix/af_unix.c | 2 +-
7 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index b5e00702acc1..2e64a80c8fca 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1736,6 +1736,7 @@ static inline void unlock_sock_fast(struct sock *sk, bool slow)
void sockopt_lock_sock(struct sock *sk);
void sockopt_release_sock(struct sock *sk);
bool sockopt_ns_capable(struct user_namespace *ns, int cap);
+bool sockopt_ns_capable_any(struct user_namespace *ns, int cap1, int cap2);
bool sockopt_capable(int cap);
/* Used by processes to "lock" a socket state, so that
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 039dfbd367c9..2d811037e378 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -1026,7 +1026,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
.usersize = sizeof_field(struct caifsock, conn_req.param)
};
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN))
+ if (!capable_any(CAP_NET_ADMIN, CAP_SYS_ADMIN))
return -EPERM;
/*
* The sock->type specifies the socket type to use.
diff --git a/net/core/sock.c b/net/core/sock.c
index 43bf3818c19e..fa9edcc3e23d 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1077,6 +1077,12 @@ bool sockopt_ns_capable(struct user_namespace *ns, int cap)
}
EXPORT_SYMBOL(sockopt_ns_capable);
+bool sockopt_ns_capable_any(struct user_namespace *ns, int cap1, int cap2)
+{
+ return has_current_bpf_ctx() || ns_capable_any(ns, cap1, cap2);
+}
+EXPORT_SYMBOL(sockopt_ns_capable_any);
+
bool sockopt_capable(int cap)
{
return has_current_bpf_ctx() || capable(cap);
@@ -1118,8 +1124,7 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
switch (optname) {
case SO_PRIORITY:
if ((val >= 0 && val <= 6) ||
- sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) ||
- sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ sockopt_ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
sock_set_priority(sk, val);
return 0;
}
@@ -1422,8 +1427,7 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
break;
case SO_MARK:
- if (!sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
- !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ if (!sockopt_ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
ret = -EPERM;
break;
}
@@ -2813,8 +2817,7 @@ int __sock_cmsg_send(struct sock *sk, struct cmsghdr *cmsg,
switch (cmsg->cmsg_type) {
case SO_MARK:
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
- !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
+ if (!ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN))
return -EPERM;
if (cmsg->cmsg_len != CMSG_LEN(sizeof(u32)))
return -EINVAL;
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index 990a83455dcf..42b3b12eb493 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -902,8 +902,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
ro->want_lqi = !!val;
break;
case WPAN_SECURITY:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_NET_RAW)) {
+ if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) {
err = -EPERM;
break;
}
@@ -926,8 +925,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
}
break;
case WPAN_SECURITY_LEVEL:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_NET_RAW)) {
+ if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) {
err = -EPERM;
break;
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index cf377377b52d..5a1e5ee20ddd 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1008,8 +1008,9 @@ int do_ip_setsockopt(struct sock *sk, int level, int optname,
inet_assign_bit(MC_ALL, sk, val);
return 0;
case IP_TRANSPARENT:
- if (!!val && !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
- !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
+ if (!!val &&
+ !sockopt_ns_capable_any(sock_net(sk)->user_ns,
+ CAP_NET_RAW, CAP_NET_ADMIN))
return -EPERM;
if (optlen < 1)
return -EINVAL;
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index d4c28ec1bc51..e46b11b5d3dd 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -773,8 +773,7 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
break;
case IPV6_TRANSPARENT:
- if (valbool && !sockopt_ns_capable(net->user_ns, CAP_NET_RAW) &&
- !sockopt_ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+ if (valbool && !sockopt_ns_capable_any(net->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) {
retv = -EPERM;
break;
}
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 5b41e2321209..acc36b2d25d7 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1783,7 +1783,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
struct user_struct *user = current_user();
if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE)))
- return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+ return !capable_any(CAP_SYS_RESOURCE, CAP_SYS_ADMIN);
return false;
}
--
2.43.0
next prev parent reply other threads:[~2024-03-15 11:39 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-15 11:37 [PATCH 01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY Christian Göttsche
2024-03-15 11:37 ` [PATCH 02/10] capability: add any wrappers to test for multiple caps with exactly one audit message Christian Göttsche
2024-03-15 16:45 ` Andrii Nakryiko
2024-03-15 18:27 ` Christian Göttsche
2024-03-15 18:30 ` Andrii Nakryiko
2024-03-15 18:41 ` Jens Axboe
2024-03-15 19:48 ` Paul Moore
2024-03-15 21:16 ` Andrii Nakryiko
2024-03-16 17:17 ` Jens Axboe
2024-03-15 20:19 ` Serge Hallyn
2024-03-15 11:37 ` [PATCH 03/10] capability: use new capable_any functionality Christian Göttsche
2024-03-15 16:46 ` Andrii Nakryiko
2024-03-15 11:37 ` [PATCH 04/10] block: " Christian Göttsche
2024-03-15 11:37 ` [PATCH 05/10] drivers: " Christian Göttsche
2024-03-15 15:03 ` Felix Kuehling
2024-03-15 11:37 ` [PATCH 06/10] fs: " Christian Göttsche
2024-03-15 11:37 ` [PATCH 07/10] kernel: " Christian Göttsche
2024-03-15 15:03 ` Tycho Andersen
2024-03-15 11:37 ` Christian Göttsche [this message]
2024-03-15 23:11 ` [PATCH 08/10] net: " Kuniyuki Iwashima
2024-03-15 11:37 ` [PATCH 09/10] bpf: " Christian Göttsche
2024-03-15 16:43 ` Andrii Nakryiko
2024-03-15 11:37 ` [PATCH 10/10] coccinelle: add script for capable_any() Christian Göttsche
2024-03-15 11:37 ` [PATCH 00/10] Introduce capable_any() Christian Göttsche
2024-03-15 19:59 ` [PATCH 01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240315113828.258005-8-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=alex.aring@gmail.com \
--cc=alexander@mihalicyn.com \
--cc=bpf@vger.kernel.org \
--cc=daan.j.demeyer@gmail.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=miquel.raynal@bootlin.com \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stefan@datenfreihafen.org \
--cc=wuyun.abel@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.