Received: by 2002:ab2:2994:0:b0:1ef:ca3e:3cd5 with SMTP id n20csp713665lqb; Fri, 15 Mar 2024 04:41:41 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCViAjYlPN/FBibUgm9/Ij0MLQnGMgydoMZISPZcYs1BiXLRK3YljtiExJfZh55T0Uhzaa2CIVC0wugSm35cLWeQa6F+IrD12wZqSJF74g== X-Google-Smtp-Source: AGHT+IEhwrUp9CRGmC/w7gLU5iDd/20PJ7YnyEp4vjiMKUh8BjSHI70id3mykPM78E+sCB1Q/0Ct X-Received: by 2002:a17:906:f104:b0:a46:9a59:d986 with SMTP id gv4-20020a170906f10400b00a469a59d986mr104192ejb.75.1710502900887; Fri, 15 Mar 2024 04:41:40 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710502900; cv=pass; d=google.com; s=arc-20160816; b=eLiuq7ae8YpofdJoWBHawYi2gVpRWHQZXnx168zdVZaoGQmMaB9ZBkggCkHblswshV J9tTMqF7sGrbNuHMFEdUteNcTVgu4Nji574hcLBFfYq6r2idXvbPsITuicSUyLaIeFQh z2JRJIKr/BNbIdkwKUPsbtMGyM34zbD0DEPot3KgLk0nPwfXXMViJmhsD6mbOMcazZaW ShVHuFcrRRaSGb+MgIJWedZbsOOgoTTZ7pYBcQlOlxkohHiFs7PLho2ePYqU5sp30fnE rkFX6j4EEfT0YYsqF9i5XREvuzT9/MXAgL+0/J/ZJApY/zuOttMBKKzw9PxpwJ2Ttihx ubCw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=XFW6eqfgwfb8L9+rUjWWkl22JgKTa/YmYo+cAr3MkEM=; fh=T9QoajWtQYyuQzi90ND0foU92GyAS7/Y8gay0tekIYA=; b=Jqpo7ajz6YuLe0q6wgv72hHwqXUrUDrQtyeQXsnQ4SOOErPjQCw4X1Hxr2QR/3K72Z RBAJkGG7ck/tpaGVKJ0EfK0edCtSbijrs62RGeCmbYBcXXAsdNbN0+/6o5jGxd5tNS78 K/NSCLVHc0RYITlfbSqmEqUlT25UJva60ux7qCbkB5jZd45pfosAr1RNT2uIexN1K+Dl H1PoZ2l06UjF+WblS4UwFxn9vT8TM/pajml6KEL1G4dTA8i39HSpaUIqKX4T2jTgp2E/ RZzYTLehsxBUaLe9RCNrpNMwluBZycWA8Lslvsau7P1ozd4Ayo6re6szwig31iiuaAxL mRHQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20230601 header.b=ejCgNeoc; arc=pass (i=1 spf=pass spfdomain=googlemail.com dkim=pass dkdomain=googlemail.com dmarc=pass fromdomain=googlemail.com); spf=pass (google.com: domain of linux-kernel+bounces-104358-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-104358-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id f19-20020a17090624d300b00a464d1cd3a3si1659130ejb.578.2024.03.15.04.41.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Mar 2024 04:41:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-104358-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20230601 header.b=ejCgNeoc; arc=pass (i=1 spf=pass spfdomain=googlemail.com dkim=pass dkdomain=googlemail.com dmarc=pass fromdomain=googlemail.com); spf=pass (google.com: domain of linux-kernel+bounces-104358-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-104358-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 8CB871F221FD for ; Fri, 15 Mar 2024 11:41:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 24C1C38399; Fri, 15 Mar 2024 11:39:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="ejCgNeoc" Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA8FF37157; Fri, 15 Mar 2024 11:39:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710502752; cv=none; b=iurlLpIyu3BAEjM9LPHhyhf2DcVRbKcuxFnfKLE/noh3JYE+Wz7AUb8VFZz9rZgDPhuSCGpDhcpP4xhtBX6McUfhe0aAKjj4m6A/vaUwPm6G/sswfqc3k3/9MYa9eJYEHrWAMFkuhO9/FUOfPSdXBJ6udmyPQzBstK8x4IjsAjs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710502752; c=relaxed/simple; bh=HmfrjKV80zxN0Qu8spZWjiP4Pz/wzBkFw6jKJtLTo9s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=PIJynGL/w8EycqHA237ihCI0bTeuNVnH0f8xQMkhdhJW3CpFD28ppZBeE8fvlINcC1ObmVrYes8AjPelHpiA40/W0Rkuch8fssg971g/xJZ+4jwMLgnkc6vYAqJqZ9jkg5i5L1Mvr+96htkOt0c/2auu4qPBpSs1/iGIaE9LN1Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com; spf=pass smtp.mailfrom=googlemail.com; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b=ejCgNeoc; arc=none smtp.client-ip=209.85.208.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=googlemail.com Received: by mail-ed1-f53.google.com with SMTP id 4fb4d7f45d1cf-56829f41f81so2669901a12.2; Fri, 15 Mar 2024 04:39:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1710502748; x=1711107548; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XFW6eqfgwfb8L9+rUjWWkl22JgKTa/YmYo+cAr3MkEM=; b=ejCgNeochwlWc1477r/Z4g5HRldUx+/xKBMuw+6eimumDjMPr5pAhXBdxorIEVvm7o WUrhAxDQCzF3X3SVCcqcLOjuoz6l3QvkBJd7ff5OCwwmNWFd+QjZqmd2graR/VGQ7qCk AxeEWng52fYRtUvz+LgbqMEQF0zww3216vJBkA7Ls0XxmWwQWmF633ZpEq3U1mgKQYku Zw7UpvKIH+PRajkQzP24AYk92WbCmpOpe/0nHzYV/JmRjj7l+5837Rd53Yr90x61rxtb ZMaoAffMM746MLoupJZQAXUxJgIAq4aYAtGVgwlsEb34/er5kLDMiOcJ568yLmrGLZMW 6pLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710502748; x=1711107548; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XFW6eqfgwfb8L9+rUjWWkl22JgKTa/YmYo+cAr3MkEM=; b=pyuB02cqc+cUQf61kJsrAF874JNZW8D1GZN5Z5N/MXzRU0HwnY+odZArUG8LLgQK2z 8c8FbH+9vZ81Ey+9hdngNbsN5UOw1aGhI3Fxv/go4NCIlNVB0rw8h/Tov9lH/8k82HCm lKogxFfuYL9dWjeMx0mxBpZ9m+sGUQMfV/5Ob4rvQVRoHIEir070NRzdUUqtAKmHlmGs pGUpkeukZe376M6bUf9hR+eMFvTqmPiXH3QaU1RCYt8y2J6PMPaWL8MkjJG5uyrRQ/jp Fda0HDRAQjgWYUBfR7HcV9XY9qFZ5Zc2uymfKLgTZwup/UuXH03cOdX1IL5mpTH90N1F gOgQ== X-Forwarded-Encrypted: i=1; AJvYcCXJJre3NavNEwhP7uLIR/q5iZTuNzzYPoD/O6zdRCbcBZRIFFqYEGWabKtFvOTnaoHEhwpaxxFOrbS7y/LMwJzVj9jVOrZEd4j3+T3Nf7RvBFo/bUlcdZYaXjLQgiLybRtW X-Gm-Message-State: AOJu0Yyf+scyy/EjhOYKz23YtUjsMLCSWRQXfDEegXGAOgQTFIrLg/JN iDfY9Y3UXxlUS7D5O9Hzh/rTmONCJ45fbebm0qEknJIDleI+M4lct0sN3ze+MhG5nw== X-Received: by 2002:a05:6402:428b:b0:568:376e:ea2a with SMTP id g11-20020a056402428b00b00568376eea2amr2696148edc.40.1710502748432; Fri, 15 Mar 2024 04:39:08 -0700 (PDT) Received: from ddev.DebianHome (dynamic-095-119-217-226.95.119.pool.telefonica.de. [95.119.217.226]) by smtp.gmail.com with ESMTPSA id fg3-20020a056402548300b005682f47aea7sm1610024edb.94.2024.03.15.04.39.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Mar 2024 04:39:08 -0700 (PDT) From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= To: linux-security-module@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 09/10] bpf: use new capable_any functionality Date: Fri, 15 Mar 2024 12:37:30 +0100 Message-ID: <20240315113828.258005-9-cgzones@googlemail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240315113828.258005-1-cgzones@googlemail.com> References: <20240315113828.258005-1-cgzones@googlemail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the new added capable_any function in bpf_token_capable() and bpf_net_capable() implementations. Signed-off-by: Christian Göttsche --- v5: add patch --- include/linux/bpf.h | 2 +- kernel/bpf/syscall.c | 2 +- kernel/bpf/token.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4f20f62f9d63..bdadf3291bec 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2701,7 +2701,7 @@ static inline int bpf_obj_get_user(const char __user *pathname, int flags) static inline bool bpf_token_capable(const struct bpf_token *token, int cap) { - return capable(cap) || (cap != CAP_SYS_ADMIN && capable(CAP_SYS_ADMIN)); + return capable_any(cap, CAP_SYS_ADMIN); } static inline void bpf_token_inc(struct bpf_token *token) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index ae2ff73bde7e..a10e6f77002c 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1175,7 +1175,7 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token, static bool bpf_net_capable(void) { - return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); + return capable_any(CAP_NET_ADMIN, CAP_SYS_ADMIN); } #define BPF_MAP_CREATE_LAST_FIELD map_token_fd diff --git a/kernel/bpf/token.c b/kernel/bpf/token.c index d6ccf8d00eab..53f491046a8d 100644 --- a/kernel/bpf/token.c +++ b/kernel/bpf/token.c @@ -11,7 +11,7 @@ static bool bpf_ns_capable(struct user_namespace *ns, int cap) { - return ns_capable(ns, cap) || (cap != CAP_SYS_ADMIN && ns_capable(ns, CAP_SYS_ADMIN)); + return ns_capable_any(ns, cap, CAP_SYS_ADMIN); } bool bpf_token_capable(const struct bpf_token *token, int cap) -- 2.43.0