| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220509171509.GB28406@mail.hallyn.com>
Date: Mon, 9 May 2022 12:15:09 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Christian Göttsche <cgzones@...glemail.com>
Cc: selinux@...r.kernel.org, Serge Hallyn <serge@...lyn.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Florian Fainelli <f.fainelli@...il.com>,
Alexander Aring <aahringo@...hat.com>,
Ziyang Xuan <william.xuanziyang@...wei.com>,
Eric Dumazet <edumazet@...gle.com>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH v2 8/8] net: use new capable_or functionality
On Mon, May 02, 2022 at 06:00:29PM +0200, Christian Göttsche wrote:
> Use the new added capable_or function in appropriate cases, where a task
> is required to have any of two capabilities.
>
> Reorder CAP_SYS_ADMIN last.
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
Thanks, for 2-8:
Reviewed-by: Serge Hallyn <serge@...lyn.com>
though I'd still like to talk about the name :)
> ---
> net/caif/caif_socket.c | 2 +-
> net/unix/scm.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
> index 2b8892d502f7..60498148126c 100644
> --- a/net/caif/caif_socket.c
> +++ b/net/caif/caif_socket.c
> @@ -1036,7 +1036,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
> .usersize = sizeof_field(struct caifsock, conn_req.param)
> };
>
> - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN))
> + if (!capable_or(CAP_NET_ADMIN, CAP_SYS_ADMIN))
> return -EPERM;
> /*
> * The sock->type specifies the socket type to use.
> diff --git a/net/unix/scm.c b/net/unix/scm.c
> index aa27a02478dc..821be80e6c85 100644
> --- a/net/unix/scm.c
> +++ b/net/unix/scm.c
> @@ -99,7 +99,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
> struct user_struct *user = current_user();
>
> if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
> - return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
> + return !capable_or(CAP_SYS_RESOURCE, CAP_SYS_ADMIN);
> return false;
> }
>
> --
> 2.36.0
Powered by blists - more mailing lists