lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20230522155632.205ac884@xps-13>
Date: Mon, 22 May 2023 15:56:32 +0200
From: Miquel Raynal <miquel.raynal@...tlin.com>
To: Christian Göttsche <cgzones@...glemail.com>
Cc: selinux@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, Eric
 Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo
 Abeni <pabeni@...hat.com>, Alexander Aring <alex.aring@...il.com>, Stefan
 Schmidt <stefan@...enfreihafen.org>, David Ahern <dsahern@...nel.org>,
 Keith Busch <kbusch@...nel.org>, Kuniyuki Iwashima <kuniyu@...zon.com>,
 Christophe JAILLET <christophe.jaillet@...adoo.fr>, Alexei Starovoitov
 <ast@...nel.org>, Martin KaFai Lau <martin.lau@...nel.org>, Xin Long
 <lucien.xin@...il.com>, Alexander Duyck <alexanderduyck@...com>, Jason Xing
 <kernelxing@...cent.com>, Jens Axboe <axboe@...nel.dk>, Pavel Begunkov
 <asml.silence@...il.com>, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-wpan@...r.kernel.org,
 bpf@...r.kernel.org
Subject: Re: [PATCH v4 9/9] net: use new capable_any functionality

Hi Christian,

cgzones@...glemail.com wrote on Thu, 11 May 2023 16:25:32 +0200:

> Use the new added capable_any function in appropriate cases, where a
> task is required to have any of two capabilities.
> 
> Add sock_ns_capable_any() wrapper similar to existing sock_ns_capable()
> one.
> 
> Reorder CAP_SYS_ADMIN last.
> 
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> v4:
>   - introduce sockopt_ns_capable_any()
> v3:
>   - rename to capable_any()
>   - make use of ns_capable_any
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
>  include/net/sock.h       |  1 +
>  net/caif/caif_socket.c   |  2 +-
>  net/core/sock.c          | 18 ++++++++++--------
>  net/ieee802154/socket.c  |  6 ++----
>  net/ipv4/ip_sockglue.c   |  4 ++--
>  net/ipv6/ipv6_sockglue.c |  3 +--
>  net/unix/scm.c           |  2 +-
>  7 files changed, 18 insertions(+), 18 deletions(-)
> 

[...]

> diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
> index 1fa2fe041ec0..f9bc6cae4af9 100644
> --- a/net/ieee802154/socket.c
> +++ b/net/ieee802154/socket.c
> @@ -904,8 +904,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
>  		ro->want_lqi = !!val;
>  		break;
>  	case WPAN_SECURITY:
> -		if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
> -		    !ns_capable(net->user_ns, CAP_NET_RAW)) {
> +		if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) {
>  			err = -EPERM;
>  			break;
>  		}
> @@ -928,8 +927,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname,
>  		}
>  		break;
>  	case WPAN_SECURITY_LEVEL:
> -		if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
> -		    !ns_capable(net->user_ns, CAP_NET_RAW)) {
> +		if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) {
>  			err = -EPERM;
>  			break;
>  		}

I was not noticed this was applied already, so, for ieee802154:

Reviewed-by: Miquel Raynal <miquel.raynal@...tlin.com>

Thanks,
Miquèl

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ