lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 22 May 2022 12:33:00 -0500
From:   "Serge E. Hallyn" <serge@...lyn.com>
To:     "Serge E. Hallyn" <serge@...lyn.com>
Cc:     Christian Göttsche <cgzones@...glemail.com>,
        selinux@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        Alexander Aring <aahringo@...hat.com>,
        Ziyang Xuan <william.xuanziyang@...wei.com>,
        Eric Dumazet <edumazet@...gle.com>,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH v2 8/8] net: use new capable_or functionality

On Mon, May 09, 2022 at 12:15:09PM -0500, Serge E. Hallyn wrote:
> On Mon, May 02, 2022 at 06:00:29PM +0200, Christian Göttsche wrote:
> > Use the new added capable_or function in appropriate cases, where a task
> > is required to have any of two capabilities.
> > 
> > Reorder CAP_SYS_ADMIN last.
> > 
> > Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> 
> Thanks, for 2-8:
> 
> Reviewed-by: Serge Hallyn <serge@...lyn.com>
> 
> though I'd still like to talk about the name :)

Just checking in - is this being discussed elsewhere?

> > ---
> >  net/caif/caif_socket.c | 2 +-
> >  net/unix/scm.c         | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
> > index 2b8892d502f7..60498148126c 100644
> > --- a/net/caif/caif_socket.c
> > +++ b/net/caif/caif_socket.c
> > @@ -1036,7 +1036,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
> >  		.usersize = sizeof_field(struct caifsock, conn_req.param)
> >  	};
> >  
> > -	if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN))
> > +	if (!capable_or(CAP_NET_ADMIN, CAP_SYS_ADMIN))
> >  		return -EPERM;
> >  	/*
> >  	 * The sock->type specifies the socket type to use.
> > diff --git a/net/unix/scm.c b/net/unix/scm.c
> > index aa27a02478dc..821be80e6c85 100644
> > --- a/net/unix/scm.c
> > +++ b/net/unix/scm.c
> > @@ -99,7 +99,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
> >  	struct user_struct *user = current_user();
> >  
> >  	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
> > -		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
> > +		return !capable_or(CAP_SYS_RESOURCE, CAP_SYS_ADMIN);
> >  	return false;
> >  }
> >  
> > -- 
> > 2.36.0

Powered by blists - more mailing lists