lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEf4Bza0cpQM4Vz-JVDanr6b+LmJPxehcvmxX1++WQwBji9-Pg@mail.gmail.com>
Date: Fri, 15 Mar 2024 09:43:58 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Christian Göttsche <cgzones@...glemail.com>
Cc: linux-security-module@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>, 
	Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, 
	Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, 
	Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>, 
	KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, 
	Jiri Olsa <jolsa@...nel.org>, bpf@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 09/10] bpf: use new capable_any functionality

On Fri, Mar 15, 2024 at 4:39 AM Christian Göttsche
<cgzones@...glemail.com> wrote:
>
> Use the new added capable_any function in bpf_token_capable() and
> bpf_net_capable() implementations.
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> v5:
>    add patch
> ---
>  include/linux/bpf.h  | 2 +-
>  kernel/bpf/syscall.c | 2 +-
>  kernel/bpf/token.c   | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
>

It's actually a nice readability improvement, thanks!

Acked-by: Andrii Nakryiko <andrii@...nel.org>

> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 4f20f62f9d63..bdadf3291bec 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2701,7 +2701,7 @@ static inline int bpf_obj_get_user(const char __user *pathname, int flags)
>
>  static inline bool bpf_token_capable(const struct bpf_token *token, int cap)
>  {
> -       return capable(cap) || (cap != CAP_SYS_ADMIN && capable(CAP_SYS_ADMIN));
> +       return capable_any(cap, CAP_SYS_ADMIN);
>  }
>
>  static inline void bpf_token_inc(struct bpf_token *token)
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index ae2ff73bde7e..a10e6f77002c 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -1175,7 +1175,7 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token,
>
>  static bool bpf_net_capable(void)
>  {
> -       return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN);
> +       return capable_any(CAP_NET_ADMIN, CAP_SYS_ADMIN);
>  }
>
>  #define BPF_MAP_CREATE_LAST_FIELD map_token_fd
> diff --git a/kernel/bpf/token.c b/kernel/bpf/token.c
> index d6ccf8d00eab..53f491046a8d 100644
> --- a/kernel/bpf/token.c
> +++ b/kernel/bpf/token.c
> @@ -11,7 +11,7 @@
>
>  static bool bpf_ns_capable(struct user_namespace *ns, int cap)
>  {
> -       return ns_capable(ns, cap) || (cap != CAP_SYS_ADMIN && ns_capable(ns, CAP_SYS_ADMIN));
> +       return ns_capable_any(ns, cap, CAP_SYS_ADMIN);
>  }
>
>  bool bpf_token_capable(const struct bpf_token *token, int cap)
> --
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ