| Message ID | 20250302160657.127253-7-cgoettsche@seltendoof.de (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2,01/11] coccinelle: Add script to reorder capable() calls | expand |
On Sun, Mar 2, 2025 at 5:07 PM Christian Göttsche <cgoettsche@seltendoof.de> wrote: > > From: Christian Göttsche <cgzones@googlemail.com> > > capable() calls refer to enabled LSMs whether to permit or deny the > request. This is relevant in connection with SELinux, where a > capability check results in a policy decision and by default a denial > message on insufficient permission is issued. > It can lead to three undesired cases: > 1. A denial message is generated, even in case the operation was an > unprivileged one and thus the syscall succeeded, creating noise. > 2. To avoid the noise from 1. the policy writer adds a rule to ignore > those denial messages, hiding future syscalls, where the task > performs an actual privileged operation, leading to hidden limited > functionality of that task. > 3. To avoid the noise from 1. the policy writer adds a rule to permit > the task the requested capability, while it does not need it, > violating the principle of least privilege. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Eric Dumazet <edumazet@google.com>
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 57df7c1d2faa..9828bc5712b7 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3419,8 +3419,8 @@ EXPORT_SYMBOL(tcp_disconnect); static inline bool tcp_can_repair_sock(const struct sock *sk) { - return sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) && - (sk->sk_state != TCP_LISTEN); + return (sk->sk_state != TCP_LISTEN) && + sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN); } static int tcp_repair_set_window(struct tcp_sock *tp, sockptr_t optbuf, int len)