| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230522155632.205ac884@xps-13>
Date: Mon, 22 May 2023 15:56:32 +0200
From: Miquel Raynal <miquel.raynal@...tlin.com>
To: Christian Göttsche <cgzones@...glemail.com>
Cc: selinux@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Alexander Aring <alex.aring@...il.com>,
Stefan Schmidt <stefan@...enfreihafen.org>,
David Ahern <dsahern@...nel.org>,
Keith Busch <kbusch@...nel.org>,
Kuniyuki Iwashima <kuniyu@...zon.com>,
Christophe JAILLET <christophe.jaillet@...adoo.fr>,
Alexei Starovoitov <ast@...nel.org>,
Martin KaFai Lau <martin.lau@...nel.org>,
Xin Long <lucien.xin@...il.com>,
Alexander Duyck <alexanderduyck@...com>,
Jason Xing <kernelxing@...cent.com>,
Jens Axboe <axboe@...nel.dk>,
Pavel Begunkov <asml.silence@...il.com>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-wpan@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH v4 9/9] net: use new capable_any functionality
Hi Christian,
cgzones@...glemail.com wrote on Thu, 11 May 2023 16:25:32 +0200:
> Use the new added capable_any function in appropriate cases, where a
> task is required to have any of two capabilities.
>
> Add sock_ns_capable_any() wrapper similar to existing sock_ns_capable()
> one.
>
> Reorder CAP_SYS_ADMIN last.
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> v4:
> - introduce sockopt_ns_capable_any()
> v3:
> - rename to capable_any()
> - make use of ns_capable_any
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> include/net/sock.h | 1 +
> net/caif/caif_socket.c | 2 +-
> net/core/sock.c | 18 ++++++++++--------
> net/ieee802154/socket.c | 6 ++----
> net/ipv4/ip_sockglue.c | 4 ++--
> net/ipv6/ipv6_sockglue.c | 3 +--
> net/unix/scm.c | 2 +-
> 7 files changed, 18 insertions(+), 18 deletions(-)
>
[...]
> diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
> index 1fa2fe041ec0..f9bc6cae4af9 100644
> --- a/net/ieee802154/socket.c
> +++ b/net/ieee802154/socket.c
> @@ -904,8 +904,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
> ro->want_lqi = !!val;
> break;
> case WPAN_SECURITY:
> - if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
> - !ns_capable(net->user_ns, CAP_NET_RAW)) {
> + if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) {
> err = -EPERM;
> break;
> }
> @@ -928,8 +927,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
> }
> break;
> case WPAN_SECURITY_LEVEL:
> - if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
> - !ns_capable(net->user_ns, CAP_NET_RAW)) {
> + if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) {
> err = -EPERM;
> break;
> }
I was not noticed this was applied already, so, for ieee802154:
Reviewed-by: Miquel Raynal <miquel.raynal@...tlin.com>
Thanks,
Miquèl
Powered by blists - more mailing lists