From patchwork Thu Feb 17 14:49:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12750325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11A37C433FE for ; Thu, 17 Feb 2022 14:50:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242207AbiBQOvG (ORCPT ); Thu, 17 Feb 2022 09:51:06 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:44840 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242167AbiBQOuv (ORCPT ); Thu, 17 Feb 2022 09:50:51 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 19BF22B2C6F; Thu, 17 Feb 2022 06:50:35 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id qx21so7800480ejb.13; Thu, 17 Feb 2022 06:50:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bX4TrrpbZWiTDtSIiT+79S67gmaAnm5bGwmVO1NuSaM=; b=INiSgLKiZpd7dkFaBTgJO5utgSFoQdXv4fgSV9t8ZaT0Aa4oE8no3YEP0fG0z87iP6 0neFvpN6KRJaAgF7vHhHZgilrvEAg1ujDmhaU0aBe/zbnRaiCDGgsWqERRjGbz6lzmA/ M5/z+urnhGk/sNEsVFVP8L5xp1uM2O9v/XlZIFF/MYUubGAl3paCezVSNmdIheyiR5dz 4BQW3IfODw9WJSASxFdJ+ZRvvYYcHKZAmfgbsO94ReZgKARUBeW6tPT9fQ4H2Iu6B715 V95114focf3bSh6vfrpYGa5hdJDKkqe56stHtsTZu3oIcuvpmX3na3MGV9sZtli5icWv t+7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bX4TrrpbZWiTDtSIiT+79S67gmaAnm5bGwmVO1NuSaM=; b=yDhqVP0X8++vzP3prPMKkjN+8eYiTafWngNQnxag1FI/faG3DtPRjbMsP+no7EWMFC WQaCL714C0W/ntlPReELamQJJAYM2LykE4EYbJeRJwhsQhA190WUzqPRGYwgrgJknV8y O3Mm01IiHhp2Z/66eyWcDww3hw1CmLxqMN3BNpU4pfoywZ/RF9ncL8/HzZHKnYJCWd77 KHUk4flxd/S1Xpf2AgS3WyoSOBZpH45kKPGHZFZKrKexIo6ULOo9XNloW4U9CutC2rAE 5leukRfl19HKaBfmuanhhs5OdVLBi6GfIyMUCp8t/0SwesERepKAC2HDGPIAiMC2QD7s joSw== X-Gm-Message-State: AOAM533dcP+HTWzDTvbDBjM0UR8ozeGpjOcurpgrMLDxQ5HvRvsS9CGL yWyPtZAS3FUeD5iPDMnZHLH0vd0dTyMrQQ== X-Google-Smtp-Source: ABdhPJwpRuHRfCrHVQHWKpujlie3WcZ/GvHjEtRFarRLhOXe19/veEIQOXoHV7bx7XTQb50KV2pzBA== X-Received: by 2002:a17:906:c405:b0:6ce:7100:8cf1 with SMTP id u5-20020a170906c40500b006ce71008cf1mr2795143ejz.722.1645109433610; Thu, 17 Feb 2022 06:50:33 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-001-066-240.77.1.pool.telefonica.de. [77.1.66.240]) by smtp.gmail.com with ESMTPSA id c11sm3580270edx.42.2022.02.17.06.50.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Feb 2022 06:50:33 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Cc: Serge Hallyn , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 1/2] capability: add capable_or to test for multiple caps with exactly one audit message Date: Thu, 17 Feb 2022 15:49:55 +0100 Message-Id: <20220217145003.78982-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220217145003.78982-1-cgzones@googlemail.com> References: <20220217145003.78982-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: Add the interface `capable_or()` as an alternative to or multiple `capable()` calls, like `capable_or(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of `capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`. `capable_or()` will in particular generate exactly one audit message, either for the left most capability in effect or, if the task has none, the first one. This is especially helpful with regard to SELinux, where each audit message about a not allowed capability will create an avc denial. Using this function with the least invasive capability as left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables policy writers to only allow the least invasive one and SELinux domains pass this check with only capability:sys_nice or capability:sys_admin allowed without any avc denial message. Signed-off-by: Christian Göttsche --- include/linux/capability.h | 6 +++++ kernel/capability.c | 48 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..5c55687a9a05 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -207,6 +207,8 @@ extern bool has_ns_capability(struct task_struct *t, extern bool has_capability_noaudit(struct task_struct *t, int cap); extern bool has_ns_capability_noaudit(struct task_struct *t, struct user_namespace *ns, int cap); +#define capable_or(...) _capable_or_impl((sizeof((int[]){__VA_ARGS__}) / sizeof(int)), __VA_ARGS__) +extern bool _capable_or_impl(int count, ...); extern bool capable(int cap); extern bool ns_capable(struct user_namespace *ns, int cap); extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); @@ -230,6 +232,10 @@ static inline bool has_ns_capability_noaudit(struct task_struct *t, { return true; } +static inline bool capable_or(int first_cap, ...) +{ + return true; +} static inline bool capable(int cap) { return true; diff --git a/kernel/capability.c b/kernel/capability.c index 46a361dde042..5b73a58b914e 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -434,6 +434,54 @@ bool ns_capable_setid(struct user_namespace *ns, int cap) } EXPORT_SYMBOL(ns_capable_setid); +/** + * _capable_or - Determine if the current task has one of multiple superior capabilities in effect + * @cap: The capabilities to be tested for + * + * Return true if the current task has at least one of the given superior capabilities currently + * available for use, false if not. + * + * In contrast to or'ing capable() this call will create exactly one audit message, either for the + * left most capability in effect or (if the task has none of the tested capabilities) the first + * capabilit in the test list. + * + * The capabilities should be ordered from least to most invasive, i.e. CAP_SYS_ADMIN last. + * + * This sets PF_SUPERPRIV on the task if the capability is available on the + * assumption that it's about to be used. + */ +bool _capable_or_impl(int count, ...) +{ + va_list args; + const struct cred *cred = current_cred(); + int cap, first_cap, i; + + BUG_ON(count < 1); + BUG_ON(count > CAP_LAST_CAP); + + va_start(args, count); + + for (i = 0; i < count; i++) { + int ret; + + cap = va_arg(args, int); + if (i == 0) + first_cap = cap; + + ret = security_capable(cred, &init_user_ns, cap, CAP_OPT_NOAUDIT); + if (ret == 0) + goto out; + } + + /* if none of the capabilities was allowed, create an audit event for the first one */ + cap = first_cap; + +out: + va_end(args); + return ns_capable(&init_user_ns, cap); +} +EXPORT_SYMBOL(_capable_or_impl); + /** * capable - Determine if the current task has a superior capability in effect * @cap: The capability to be tested for From patchwork Thu Feb 17 14:49:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12750324 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D96EC4321E for ; Thu, 17 Feb 2022 14:50:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242180AbiBQOux (ORCPT ); Thu, 17 Feb 2022 09:50:53 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:44672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242126AbiBQOut (ORCPT ); Thu, 17 Feb 2022 09:50:49 -0500 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 192CB29E957; Thu, 17 Feb 2022 06:50:34 -0800 (PST) Received: by mail-ed1-x52e.google.com with SMTP id u18so10074738edt.6; Thu, 17 Feb 2022 06:50:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8I41jwLvAiCSwd4V/781omnso87v01pI1AY+lB5wImk=; b=Iupq1Tbr6TrNZdw13BJ6EY0qW3jW8QcWqrMnVX0DfbwV9HN8X6F1VFaQ/Vt4JiwKuI PKHeDAsE5jQo2oYFRH3qKrMg7Y7K10m0OisK4CQxgccvztoWVvEOVDbmSPyb1raXFLY6 o5nxC5aZSnG5edIofcjlhWKe4xkKLff54dudYJjGhfUtiRMhvaGqVm1r7MGHEDAXKahY 1G7DcLlAh6UPp9o/BEWcfQFzwTlY37PC9K7Ys9nIHgd5QmoP2TMvEHAReyoA4+aHzG4q Y5jTggvJqH2wT2nDtKj7XpD5BO7aSbyi7sWvheo/WNRORQls+Wg9QAN+r091a++WqKJr GsTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8I41jwLvAiCSwd4V/781omnso87v01pI1AY+lB5wImk=; b=ErvFcyuwCsaPWx3bnJD7oYy3GjZztkdKVGXba/4EFvyj3cVqGax/FTJ4UoorsFQrsQ jLBTOcqnDDs2wfsUxoH7yKOHV/MZkoa8iduo/OLH1MmXtmbTxFOdzXUwC2DDLMW+5H71 0GwUvGy0NtWhVhQd5/xzVGXwy7uwO9D98WCTEGVMYMk1FAdrGFZ2ZNdsENK2ZOmnv22E 1twA4uPtXa+QtchCxVLAlyAYF7EJtGqKBQdpfkG1RdmFoP1uaONP0zt2/pLzAFUOh15u 7AQtsMCT9ONv5Db2zq11PUG/0v1mAZf1cZpn7/8iney9aXwYxwuokcQugTu1uThGTQw+ WMAA== X-Gm-Message-State: AOAM5311NsIe0WE6YovXlMRa7Wv17gEvvscPAg6iNqv78H8F/1KY8tyU ULJauEKV57mxfgEUEIuGRRNeI7JvJ6QPHg== X-Google-Smtp-Source: ABdhPJxHWUoGbeHOtiGY24KhCoWJUu2GzbvuQ9rdb+BqJdqLvOi+M7qBX+pMk1LL7YH8WekmXc7HTw== X-Received: by 2002:a05:6402:168e:b0:410:d2a4:b0dd with SMTP id a14-20020a056402168e00b00410d2a4b0ddmr2908446edv.403.1645109432560; Thu, 17 Feb 2022 06:50:32 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-001-066-240.77.1.pool.telefonica.de. [77.1.66.240]) by smtp.gmail.com with ESMTPSA id c11sm3580270edx.42.2022.02.17.06.50.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Feb 2022 06:50:32 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Cc: Jens Axboe , Hans Verkuil , Mauro Carvalho Chehab , "David S. Miller" , Jakub Kicinski , Stefan Haberland , Jan Hoeppner , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Alexander Gordeev , Sven Schnelle , Alexander Viro , Serge Hallyn , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Zhen Lei , Arnd Bergmann , Laurent Pinchart , Julia Lawall , Greg Kroah-Hartman , Jiri Slaby , Pavel Skripkin , Du Cheng , "Eric W. Biederman" , Andrew Morton , Peter Zijlstra , Alexey Gladkov , David Hildenbrand , Rolf Eike Beer , Christian Brauner , Cyrill Gorcunov , Peter Collingbourne , Colin Cross , Davidlohr Bueso , Xiaofeng Cao , Nikolay Aleksandrov , Stefano Garzarella , Florian Fainelli , Ziyang Xuan , Alexander Aring , Eric Dumazet , Alistair Delva , Bart Van Assche , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, netdev@vger.kernel.org, linux-s390@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org Subject: [RFC PATCH 2/2] capability: use new capable_or functionality Date: Thu, 17 Feb 2022 15:49:54 +0100 Message-Id: <20220217145003.78982-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Precedence: bulk List-ID: Use the new added capable_or macro in appropriate cases, where a task is required to have any of two capabilities. Reorder CAP_SYS_ADMIN last. TODO: split into subsystem patches. Fixes: 94c4b4fd25e6 ("block: Check ADMIN before NICE for IOPRIO_CLASS_RT") Signed-off-by: Christian Göttsche --- block/ioprio.c | 9 +-------- drivers/media/common/saa7146/saa7146_video.c | 2 +- drivers/media/pci/bt8xx/bttv-driver.c | 3 +-- drivers/media/pci/saa7134/saa7134-video.c | 3 +-- drivers/media/platform/fsl-viu.c | 2 +- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +- drivers/net/caif/caif_serial.c | 2 +- drivers/s390/block/dasd_eckd.c | 2 +- fs/pipe.c | 2 +- include/linux/capability.h | 4 ++-- kernel/bpf/syscall.c | 2 +- kernel/fork.c | 2 +- kernel/sys.c | 2 +- net/caif/caif_socket.c | 2 +- net/unix/scm.c | 2 +- 15 files changed, 16 insertions(+), 25 deletions(-) diff --git a/block/ioprio.c b/block/ioprio.c index 2fe068fcaad5..52d5da286323 100644 --- a/block/ioprio.c +++ b/block/ioprio.c @@ -37,14 +37,7 @@ int ioprio_check_cap(int ioprio) switch (class) { case IOPRIO_CLASS_RT: - /* - * Originally this only checked for CAP_SYS_ADMIN, - * which was implicitly allowed for pid 0 by security - * modules such as SELinux. Make sure we check - * CAP_SYS_ADMIN first to avoid a denial/avc for - * possibly missing CAP_SYS_NICE permission. - */ - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE)) + if (!capable_or(CAP_SYS_NICE, CAP_SYS_ADMIN)) return -EPERM; fallthrough; /* rt has prio field too */ diff --git a/drivers/media/common/saa7146/saa7146_video.c b/drivers/media/common/saa7146/saa7146_video.c index 66215d9106a4..5eabc2e77cc2 100644 --- a/drivers/media/common/saa7146/saa7146_video.c +++ b/drivers/media/common/saa7146/saa7146_video.c @@ -470,7 +470,7 @@ static int vidioc_s_fbuf(struct file *file, void *fh, const struct v4l2_framebuf DEB_EE("VIDIOC_S_FBUF\n"); - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) + if (!capable_or(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EPERM; /* check args */ diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c index 8cc9bec43688..c2437ff07246 100644 --- a/drivers/media/pci/bt8xx/bttv-driver.c +++ b/drivers/media/pci/bt8xx/bttv-driver.c @@ -2569,8 +2569,7 @@ static int bttv_s_fbuf(struct file *file, void *f, const struct bttv_format *fmt; int retval; - if (!capable(CAP_SYS_ADMIN) && - !capable(CAP_SYS_RAWIO)) + if (!capable_or(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EPERM; /* check args */ diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c index 374c8e1087de..356b77c16f87 100644 --- a/drivers/media/pci/saa7134/saa7134-video.c +++ b/drivers/media/pci/saa7134/saa7134-video.c @@ -1803,8 +1803,7 @@ static int saa7134_s_fbuf(struct file *file, void *f, struct saa7134_dev *dev = video_drvdata(file); struct saa7134_format *fmt; - if (!capable(CAP_SYS_ADMIN) && - !capable(CAP_SYS_RAWIO)) + if (!capable_or(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EPERM; /* check args */ diff --git a/drivers/media/platform/fsl-viu.c b/drivers/media/platform/fsl-viu.c index a4bfa70b49b2..925c34c2b1b3 100644 --- a/drivers/media/platform/fsl-viu.c +++ b/drivers/media/platform/fsl-viu.c @@ -803,7 +803,7 @@ static int vidioc_s_fbuf(struct file *file, void *priv, const struct v4l2_frameb const struct v4l2_framebuffer *fb = arg; struct viu_fmt *fmt; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) + if (!capable_or(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EPERM; /* check args */ diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c index b9caa4b26209..a0cfcf6c22c4 100644 --- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c +++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c @@ -1253,7 +1253,7 @@ int vivid_vid_cap_s_fbuf(struct file *file, void *fh, if (dev->multiplanar) return -ENOTTY; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) + if (!capable_or(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EPERM; if (dev->overlay_cap_owner) diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c index 2a7af611d43a..245c30c469c2 100644 --- a/drivers/net/caif/caif_serial.c +++ b/drivers/net/caif/caif_serial.c @@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty) /* No write no play */ if (tty->ops->write == NULL) return -EOPNOTSUPP; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG)) + if (!capable_or(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN)) return -EPERM; /* release devices to avoid name collision */ diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c index 8410a25a65c1..9b5d22dd3e7b 100644 --- a/drivers/s390/block/dasd_eckd.c +++ b/drivers/s390/block/dasd_eckd.c @@ -5319,7 +5319,7 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) char psf0, psf1; int rc; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) + if (!capable_or(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EACCES; psf0 = psf1 = 0; diff --git a/fs/pipe.c b/fs/pipe.c index cc28623a67b6..47dc9b59b7a5 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -775,7 +775,7 @@ bool too_many_pipe_buffers_hard(unsigned long user_bufs) bool pipe_is_unprivileged_user(void) { - return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return !capable_or(CAP_SYS_RESOURCE, CAP_SYS_ADMIN); } struct pipe_inode_info *alloc_pipe_info(void) diff --git a/include/linux/capability.h b/include/linux/capability.h index 5c55687a9a05..5ed55b73cb62 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -262,12 +262,12 @@ extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); static inline bool perfmon_capable(void) { - return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); + return capable_or(CAP_PERFMON, CAP_SYS_ADMIN); } static inline bool bpf_capable(void) { - return capable(CAP_BPF) || capable(CAP_SYS_ADMIN); + return capable_or(CAP_BPF, CAP_SYS_ADMIN); } static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index fa4505f9b611..108dd09f978a 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2243,7 +2243,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr) !bpf_capable()) return -EPERM; - if (is_net_admin_prog_type(type) && !capable(CAP_NET_ADMIN) && !capable(CAP_SYS_ADMIN)) + if (is_net_admin_prog_type(type) && !capable_or(CAP_NET_ADMIN, CAP_SYS_ADMIN)) return -EPERM; if (is_perfmon_prog_type(type) && !perfmon_capable()) return -EPERM; diff --git a/kernel/fork.c b/kernel/fork.c index d75a528f7b21..067702f2eb15 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2024,7 +2024,7 @@ static __latent_entropy struct task_struct *copy_process( retval = -EAGAIN; if (is_ucounts_overlimit(task_ucounts(p), UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC))) { if (p->real_cred->user != INIT_USER && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) + !capable_or(CAP_SYS_RESOURCE, CAP_SYS_ADMIN)) goto bad_fork_free; } current->flags &= ~PF_NPROC_EXCEEDED; diff --git a/kernel/sys.c b/kernel/sys.c index ecc4cf019242..9df6c5e77620 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -481,7 +481,7 @@ static int set_user(struct cred *new) */ if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) && new_user != INIT_USER && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) + !capable_or(CAP_SYS_RESOURCE, CAP_SYS_ADMIN)) current->flags |= PF_NPROC_EXCEEDED; else current->flags &= ~PF_NPROC_EXCEEDED; diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 2b8892d502f7..60498148126c 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -1036,7 +1036,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol, .usersize = sizeof_field(struct caifsock, conn_req.param) }; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN)) + if (!capable_or(CAP_NET_ADMIN, CAP_SYS_ADMIN)) return -EPERM; /* * The sock->type specifies the socket type to use. diff --git a/net/unix/scm.c b/net/unix/scm.c index aa27a02478dc..821be80e6c85 100644 --- a/net/unix/scm.c +++ b/net/unix/scm.c @@ -99,7 +99,7 @@ static inline bool too_many_unix_fds(struct task_struct *p) struct user_struct *user = current_user(); if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) - return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return !capable_or(CAP_SYS_RESOURCE, CAP_SYS_ADMIN); return false; }