Message ID | 20220615152623.311223-4-cgzones@googlemail.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Delegated to: | Paul Moore |
Headers | show |
Series | [v3,1/8] capability: add any wrapper to test for multiple caps with exactly one audit message | expand |
On Wed, Jun 15, 2022 at 05:26:19PM +0200, Christian Göttsche wrote: > Use the new added capable_any function in appropriate cases, where a > task is required to have any of two capabilities. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- Not seeing the whole patch series so it's a bit difficult to judge but in general we've needed something like this for quite some time. > v3: > rename to capable_any() > --- > fs/pipe.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/pipe.c b/fs/pipe.c > index 74ae9fafd25a..18ab3baeec44 100644 > --- a/fs/pipe.c > +++ b/fs/pipe.c > @@ -776,7 +776,7 @@ bool too_many_pipe_buffers_hard(unsigned long user_bufs) > > bool pipe_is_unprivileged_user(void) > { > - return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); > + return !capable_any(CAP_SYS_RESOURCE, CAP_SYS_ADMIN); > } > > struct pipe_inode_info *alloc_pipe_info(void) > -- > 2.36.1 >
On Tue, 28 Jun 2022 at 14:57, Christian Brauner <brauner@kernel.org> wrote: > > On Wed, Jun 15, 2022 at 05:26:19PM +0200, Christian Göttsche wrote: > > Use the new added capable_any function in appropriate cases, where a > > task is required to have any of two capabilities. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > --- > > Not seeing the whole patch series so it's a bit difficult to judge but > in general we've needed something like this for quite some time. Full patch series: https://patchwork.kernel.org/project/selinux/list/?series=650662 or https://lore.kernel.org/lkml/20220615152623.311223-8-cgzones@googlemail.com/ > > v3: > > rename to capable_any() > > --- > > fs/pipe.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/pipe.c b/fs/pipe.c > > index 74ae9fafd25a..18ab3baeec44 100644 > > --- a/fs/pipe.c > > +++ b/fs/pipe.c > > @@ -776,7 +776,7 @@ bool too_many_pipe_buffers_hard(unsigned long user_bufs) > > > > bool pipe_is_unprivileged_user(void) > > { > > - return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); > > + return !capable_any(CAP_SYS_RESOURCE, CAP_SYS_ADMIN); > > } > > > > struct pipe_inode_info *alloc_pipe_info(void) > > -- > > 2.36.1 > >
diff --git a/fs/pipe.c b/fs/pipe.c index 74ae9fafd25a..18ab3baeec44 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -776,7 +776,7 @@ bool too_many_pipe_buffers_hard(unsigned long user_bufs) bool pipe_is_unprivileged_user(void) { - return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return !capable_any(CAP_SYS_RESOURCE, CAP_SYS_ADMIN); } struct pipe_inode_info *alloc_pipe_info(void)
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v3: rename to capable_any() --- fs/pipe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)