| Message ID | 20230511142535.732324-3-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [v4,1/9] capability: introduce new capable flag NODENYAUDIT | expand |
On Thu, May 11, 2023 at 7:27 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Use the new added capable_any function in appropriate cases, where a > task is required to have any of two capabilities. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > v3: > - rename to capable_any() > - simplify checkpoint_restore_ns_capable() > --- > include/linux/capability.h | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index eeb958440656..4db0ffb47271 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -204,18 +204,17 @@ extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, > extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); > static inline bool perfmon_capable(void) > { > - return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); > + return capable_any(CAP_PERFMON, CAP_SYS_ADMIN); > } > > static inline bool bpf_capable(void) > { > - return capable(CAP_BPF) || capable(CAP_SYS_ADMIN); > + return capable_any(CAP_BPF, CAP_SYS_ADMIN); > } > For bpf parts: Acked-by: Andrii Nakryiko <andrii@kernel.org> > static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) > { > - return ns_capable(ns, CAP_CHECKPOINT_RESTORE) || > - ns_capable(ns, CAP_SYS_ADMIN); > + return ns_capable_any(ns, CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN); > } > > /* audit system wants to get cap info from files as well */ > -- > 2.40.1 > >
diff --git a/include/linux/capability.h b/include/linux/capability.h index eeb958440656..4db0ffb47271 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -204,18 +204,17 @@ extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); static inline bool perfmon_capable(void) { - return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); + return capable_any(CAP_PERFMON, CAP_SYS_ADMIN); } static inline bool bpf_capable(void) { - return capable(CAP_BPF) || capable(CAP_SYS_ADMIN); + return capable_any(CAP_BPF, CAP_SYS_ADMIN); } static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) { - return ns_capable(ns, CAP_CHECKPOINT_RESTORE) || - ns_capable(ns, CAP_SYS_ADMIN); + return ns_capable_any(ns, CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN); } /* audit system wants to get cap info from files as well */
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v3: - rename to capable_any() - simplify checkpoint_restore_ns_capable() --- include/linux/capability.h | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)