Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1376551pxx; Fri, 30 Oct 2020 08:36:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMJBesanadRo77oRJnlfoydAhfPOeRZagWx7AloA9XR3+SnIGuJKEMCS+4/Jvq8mTT7mZo X-Received: by 2002:a50:8745:: with SMTP id 5mr2964716edv.49.1604072201406; Fri, 30 Oct 2020 08:36:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604072201; cv=none; d=google.com; s=arc-20160816; b=Nzm7zHS7gF7HgztoqKJq//BghHT7jkP+TqyEGf/u+hFRDou8pgOSiFOlmz1GlqyH7S LGi691wWJV051o5vk3Pi7ToutntEJPiBS+ofsVAFqEiHeaRD4zCAY+kmCc3OdHLn58Ck yhMWEzxXMsVSPwLx+qmMaHbczdzsK5vFSWft9FBiVhoR1aO7/cifMGWGO57k6QU5WUfc dclYQjVh3cK+xVrh+lE/YhrzCNlncB2H6wdzwYv8ixDUxfH0Ns0cZVickvDs0Fpa91ec 6weyE0JFDPTq8HdJhCKOhkawMtXlEvfPNDlxDTR4Ec1LydBm5pTjPRqYuBgVRQLmrxOz gKtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=qM4J1yE0KLU5F8QyG5kC5LlHB8ZdM2OXBQyKY4bPPG8=; b=k75nP0Ueg0KYgR4NKJr78ivzdK0hfNLceP7tL5ZkYkQ2a7zUlDuAPFAuJEDNLxs84K XEfMmdBYmtDEjadxhubvzl3Sj3usNCpcpXLMK2HaC5imv9McP+eqvq/d8Isp4uLG8d7j kVw4y9UdQ73oCBNyrZFcsfgH6fEnNkZHoR8aKYvQMFQRk4CnAo+jIw6EWB91aH37pUw7 mV19pckiNOFia3NvGFZwYDOoCM22Wq11uLhHbf6nOT+WUBq4AcWUvhN/UvV5JcL5D4KB blXIZSTlZGIq+zoLU0ah2Pz5rYGHk2j8gTc9Aiq0d8xPfOhPj8sqhM4qjX5OdLdAHCtF 4igQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=otXOfEzK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jz8si4192949ejb.312.2020.10.30.08.36.18; Fri, 30 Oct 2020 08:36:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=otXOfEzK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726873AbgJ3Pec (ORCPT + 99 others); Fri, 30 Oct 2020 11:34:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726674AbgJ3Pec (ORCPT ); Fri, 30 Oct 2020 11:34:32 -0400 Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F151CC0613D2 for ; Fri, 30 Oct 2020 08:34:31 -0700 (PDT) Received: by mail-lf1-x144.google.com with SMTP id l28so8374900lfp.10 for ; Fri, 30 Oct 2020 08:34:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=qM4J1yE0KLU5F8QyG5kC5LlHB8ZdM2OXBQyKY4bPPG8=; b=otXOfEzK9W1IRzhLagM/rOl8Uox3QAsxNGcfJAriK5e9tbtG8dc5a97zPIBkUI5Xig d97j65dDcgUwo3rKIqTYxsDkZWFzZUHNxA2oKqfWGwj8823L9kFyCk0O122Ap8/wav3A nEhC/bGx+3GVxOYUgUQZwm4gAeYcoBfijlLy8nJeAcs0ORg9gd4SHFzlXh0FIh5hJf8B Ao6+xSGXgD02/KDktagUMb8Iy8fJQ88VIfgAgmDupjd+ibLo8Ul6yBqIHyfqP1QTiTer Cy/BCYaQNnspe24MnE9YtkTcLQoNPTb/3ZdTY5zrBNJLm4Xm9Gx1cwmfQF5SN9oeNLQc gV3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=qM4J1yE0KLU5F8QyG5kC5LlHB8ZdM2OXBQyKY4bPPG8=; b=JzLIGSu4EIeIL3WWhSufQpPt9XgT4hdAGykWN1AJr11FOlspcbibQTjKRHjVuEloKh EWbEkow8tGXeN2RHiZTTkVMIIVZkFrUUvHNTkOsJkbP80fV1AgLZDX2gelreOnnNoNIt N+NkHLceL+eRfG02scxLG1CeQpcXOEAdB0U973gHN51EZIkEn4QPRYRlWgeoftsrLM69 0SxXQoev5/IOO4EgL1AVfg/wy38A9BMTWFcgBjWEZsbhJg8qKOpkJDYe8mFGGEI+It8a j3qWAhuCBwxNYQZwBAnr4zqRorpaiQQlmOaR3uMEOyABs+XtD16WywzGDL/JVIG2cLY5 mpKw== X-Gm-Message-State: AOAM5317ggpF+rEoS4dyAvFOfcB0UrN0Fp8lmj8WAozGZSd1KioA102Y OL7sd4c8XvZP14wHfL1gVGoQjCTAWz1EsZYowsO8sA== X-Received: by 2002:a05:6512:51a:: with SMTP id o26mr1119962lfb.381.1604072070166; Fri, 30 Oct 2020 08:34:30 -0700 (PDT) MIME-Version: 1.0 References: <20201030123849.770769-1-mic@digikod.net> <20201030123849.770769-3-mic@digikod.net> In-Reply-To: <20201030123849.770769-3-mic@digikod.net> From: Jann Horn Date: Fri, 30 Oct 2020 16:34:03 +0100 Message-ID: Subject: Re: [PATCH v1 2/2] seccomp: Set PF_SUPERPRIV when checking capability To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: Christian Brauner , Kees Cook , Oleg Nesterov , Eric Paris , James Morris , "Serge E . Hallyn" , Tyler Hicks , Will Drewry , kernel list , stable , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 30, 2020 at 1:39 PM Micka=C3=ABl Sala=C3=BCn = wrote: > Replace the use of security_capable(current_cred(), ...) with > ns_capable_noaudit() which set PF_SUPERPRIV. > > Since commit 98f368e9e263 ("kernel: Add noaudit variant of > ns_capable()"), a new ns_capable_noaudit() helper is available. Let's > use it! > > Cc: Jann Horn > Cc: Kees Cook > Cc: Tyler Hicks > Cc: Will Drewry > Cc: stable@vger.kernel.org > Fixes: e2cfabdfd075 ("seccomp: add system call filtering using BPF") > Signed-off-by: Micka=C3=ABl Sala=C3=BCn Reviewed-by: Jann Horn