| Message ID | 20240315113828.258005-5-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY | expand |
On 2024-03-15 7:37, Christian Göttsche wrote: > Use the new added capable_any function in appropriate cases, where a > task is required to have any of two capabilities. > > Reorder CAP_SYS_ADMIN last. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> (s390 portion) Acked-by: Felix Kuehling <felix.kuehling@amd.com> (amdkfd portion) > --- > v4: > Additional usage in kfd_ioctl() > v3: > rename to capable_any() > --- > drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +-- > drivers/net/caif/caif_serial.c | 2 +- > drivers/s390/block/dasd_eckd.c | 2 +- > 3 files changed, 3 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > index dfa8c69532d4..8c7ebca01c17 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > @@ -3290,8 +3290,7 @@ static long kfd_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) > * more priviledged access. > */ > if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) { > - if (!capable(CAP_CHECKPOINT_RESTORE) && > - !capable(CAP_SYS_ADMIN)) { > + if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) { > retcode = -EACCES; > goto err_i1; > } > diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c > index ed3a589def6b..e908b9ce57dc 100644 > --- a/drivers/net/caif/caif_serial.c > +++ b/drivers/net/caif/caif_serial.c > @@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty) > /* No write no play */ > if (tty->ops->write == NULL) > return -EOPNOTSUPP; > - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG)) > + if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN)) > return -EPERM; > > /* release devices to avoid name collision */ > diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c > index 373c1a86c33e..8f9a5136306a 100644 > --- a/drivers/s390/block/dasd_eckd.c > +++ b/drivers/s390/block/dasd_eckd.c > @@ -5384,7 +5384,7 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) > char psf0, psf1; > int rc; > > - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) > + if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) > return -EACCES; > psf0 = psf1 = 0; >
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c index dfa8c69532d4..8c7ebca01c17 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c @@ -3290,8 +3290,7 @@ static long kfd_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) * more priviledged access. */ if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) { - if (!capable(CAP_CHECKPOINT_RESTORE) && - !capable(CAP_SYS_ADMIN)) { + if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) { retcode = -EACCES; goto err_i1; } diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c index ed3a589def6b..e908b9ce57dc 100644 --- a/drivers/net/caif/caif_serial.c +++ b/drivers/net/caif/caif_serial.c @@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty) /* No write no play */ if (tty->ops->write == NULL) return -EOPNOTSUPP; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG)) + if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN)) return -EPERM; /* release devices to avoid name collision */ diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c index 373c1a86c33e..8f9a5136306a 100644 --- a/drivers/s390/block/dasd_eckd.c +++ b/drivers/s390/block/dasd_eckd.c @@ -5384,7 +5384,7 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) char psf0, psf1; int rc; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) + if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EACCES; psf0 = psf1 = 0;