From patchwork Thu May 11 14:25:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13238037 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B683C77B7F for ; Thu, 11 May 2023 14:28:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238539AbjEKO15 (ORCPT ); Thu, 11 May 2023 10:27:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237976AbjEKO1R (ORCPT ); Thu, 11 May 2023 10:27:17 -0400 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 089C0E72; Thu, 11 May 2023 07:26:49 -0700 (PDT) Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-965ac4dd11bso1723548966b.2; Thu, 11 May 2023 07:26:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1683815207; x=1686407207; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yh+kmOB/3T2Ct+e48ke7ddrVyWc5FzCqMfagVQ+ockI=; b=mR9aqKYicwMhgogcBnAWcdWjqogQ/c966GYPXq2hztmeo7By9ge9YtvNNVBIBOjCAU 92/2QZ+ONIbYxFkUA79jMjYwJrHgIchmcwyQ+IH1HZAJX3m6JJEq2KyQNvqZaSlzq6Fx Gt0qJ+2K3/5BEPKoqxysmvLFVMv/tPjGoFE5oJ3L+JGRRJipYB7b5kWJsnJTvP/8r4sI AL0DxwnAsD/2HvZkicFCgrxdib1N1YI95aYIY0aanJcnsHrRjdcPxWaqpHoSeHoXgulh nXgY15ThHUUs5d05k9LT1s98tveFZZvlLfRZeCSOL0NkJtmPG++KIatLJDx0KS0+86Nl i9xQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683815207; x=1686407207; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yh+kmOB/3T2Ct+e48ke7ddrVyWc5FzCqMfagVQ+ockI=; b=RG3ajnOHsuLldcTD3zgTh7gF02yKXeGWEuUiyFvRvAsZghEj64WaB3f94pKsoLTgMb vKh5qZGIbP38111GLW4PynxIFH7V1DUZ/uGa0OMX7mmKPLXX368dSl68nFcq7lE9xAYf 6rjMW4uLw+/Lhsdvcds5BU8NdmUYRH7+HsYoQjYdERKzB66Q024jjb4+hziKobMIKODA x5qiQ5LCe6hOz5doYwArNduSgrs5TAIvHYu+GprRYJU5Ix22OrsmI7Mxrx6SkYD+qtq1 5FFVur+ovBfYAPXUtOO8nKyUA3yKaq3KP59mE6fGMmqP6qCUC5eWwNJU7O5dHm7pw7/9 9yxQ== X-Gm-Message-State: AC+VfDwnK8XV0Ydw2PYF8QuhBCV64rsnedseLT7G6hIEh4Ln+ryrTOOY W2Q2ULew9SALUjrE9Sphd8e4tnmtbAmaTg== X-Google-Smtp-Source: ACHHUZ55K3LlAfJsD/0MVktqrGV0ADiuIvt5DFR+742oY+v7paoIFV0bf/KxU1DRLqe4/9ezFAEbVA== X-Received: by 2002:a17:907:1c88:b0:961:be96:b0e0 with SMTP id nb8-20020a1709071c8800b00961be96b0e0mr20141790ejc.73.1683815207515; Thu, 11 May 2023 07:26:47 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-008-180-228.77.8.pool.telefonica.de. [77.8.180.228]) by smtp.gmail.com with ESMTPSA id hf15-20020a1709072c4f00b0094f58a85bc5sm4056647ejc.180.2023.05.11.07.26.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 May 2023 07:26:45 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Keith Busch , Kuniyuki Iwashima , Christophe JAILLET , Alexei Starovoitov , Martin KaFai Lau , Xin Long , Alexander Duyck , Jason Xing , Jens Axboe , Pavel Begunkov , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-wpan@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH v4 9/9] net: use new capable_any functionality Date: Thu, 11 May 2023 16:25:32 +0200 Message-Id: <20230511142535.732324-9-cgzones@googlemail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230511142535.732324-1-cgzones@googlemail.com> References: <20230511142535.732324-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Add sock_ns_capable_any() wrapper similar to existing sock_ns_capable() one. Reorder CAP_SYS_ADMIN last. Signed-off-by: Christian Göttsche Reviewed-by: Miquel Raynal --- v4: - introduce sockopt_ns_capable_any() v3: - rename to capable_any() - make use of ns_capable_any Signed-off-by: Christian Göttsche --- include/net/sock.h | 1 + net/caif/caif_socket.c | 2 +- net/core/sock.c | 18 ++++++++++-------- net/ieee802154/socket.c | 6 ++---- net/ipv4/ip_sockglue.c | 4 ++-- net/ipv6/ipv6_sockglue.c | 3 +-- net/unix/scm.c | 2 +- 7 files changed, 18 insertions(+), 18 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index 8b7ed7167243..a17178e31e91 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1762,6 +1762,7 @@ static inline void unlock_sock_fast(struct sock *sk, bool slow) void sockopt_lock_sock(struct sock *sk); void sockopt_release_sock(struct sock *sk); bool sockopt_ns_capable(struct user_namespace *ns, int cap); +bool sockopt_ns_capable_any(struct user_namespace *ns, int cap1, int cap2); bool sockopt_capable(int cap); /* Used by processes to "lock" a socket state, so that diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 4eebcc66c19a..6dcc08f9da3b 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -1027,7 +1027,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol, .usersize = sizeof_field(struct caifsock, conn_req.param) }; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN)) + if (!capable_any(CAP_NET_ADMIN, CAP_SYS_ADMIN)) return -EPERM; /* * The sock->type specifies the socket type to use. diff --git a/net/core/sock.c b/net/core/sock.c index 5440e67bcfe3..6a236d649bec 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1073,6 +1073,12 @@ bool sockopt_ns_capable(struct user_namespace *ns, int cap) } EXPORT_SYMBOL(sockopt_ns_capable); +bool sockopt_ns_capable_any(struct user_namespace *ns, int cap1, int cap2) +{ + return has_current_bpf_ctx() || ns_capable_any(ns, cap1, cap2); +} +EXPORT_SYMBOL(sockopt_ns_capable_any); + bool sockopt_capable(int cap) { return has_current_bpf_ctx() || capable(cap); @@ -1207,8 +1213,7 @@ int sk_setsockopt(struct sock *sk, int level, int optname, case SO_PRIORITY: if ((val >= 0 && val <= 6) || - sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) || - sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) + sockopt_ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) sk->sk_priority = val; else ret = -EPERM; @@ -1353,8 +1358,7 @@ int sk_setsockopt(struct sock *sk, int level, int optname, clear_bit(SOCK_PASSSEC, &sock->flags); break; case SO_MARK: - if (!sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) && - !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { + if (!sockopt_ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) { ret = -EPERM; break; } @@ -1362,8 +1366,7 @@ int sk_setsockopt(struct sock *sk, int level, int optname, __sock_set_mark(sk, val); break; case SO_RCVMARK: - if (!sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) && - !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { + if (!sockopt_ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) { ret = -EPERM; break; } @@ -2747,8 +2750,7 @@ int __sock_cmsg_send(struct sock *sk, struct cmsghdr *cmsg, switch (cmsg->cmsg_type) { case SO_MARK: - if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) && - !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) + if (!ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) return -EPERM; if (cmsg->cmsg_len != CMSG_LEN(sizeof(u32))) return -EINVAL; diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index 1fa2fe041ec0..f9bc6cae4af9 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -904,8 +904,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname, ro->want_lqi = !!val; break; case WPAN_SECURITY: - if (!ns_capable(net->user_ns, CAP_NET_ADMIN) && - !ns_capable(net->user_ns, CAP_NET_RAW)) { + if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) { err = -EPERM; break; } @@ -928,8 +927,7 @@ static int dgram_setsockopt(struct sock *sk, int level, int optname, } break; case WPAN_SECURITY_LEVEL: - if (!ns_capable(net->user_ns, CAP_NET_ADMIN) && - !ns_capable(net->user_ns, CAP_NET_RAW)) { + if (!ns_capable_any(net->user_ns, CAP_NET_ADMIN, CAP_NET_RAW)) { err = -EPERM; break; } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index b511ff0adc0a..4dd752743b84 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -1341,8 +1341,8 @@ int do_ip_setsockopt(struct sock *sk, int level, int optname, break; case IP_TRANSPARENT: - if (!!val && !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) && - !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { + if (!!val && !sockopt_ns_capable_any(sock_net(sk)->user_ns, CAP_NET_RAW, + CAP_NET_ADMIN)) { err = -EPERM; break; } diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index ae818ff46224..38aad44547e4 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -625,8 +625,7 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname, break; case IPV6_TRANSPARENT: - if (valbool && !sockopt_ns_capable(net->user_ns, CAP_NET_RAW) && - !sockopt_ns_capable(net->user_ns, CAP_NET_ADMIN)) { + if (valbool && !sockopt_ns_capable_any(net->user_ns, CAP_NET_RAW, CAP_NET_ADMIN)) { retv = -EPERM; break; } diff --git a/net/unix/scm.c b/net/unix/scm.c index f9152881d77f..4d18187a5349 100644 --- a/net/unix/scm.c +++ b/net/unix/scm.c @@ -99,7 +99,7 @@ static inline bool too_many_unix_fds(struct task_struct *p) struct user_struct *user = current_user(); if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) - return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return !capable_any(CAP_SYS_RESOURCE, CAP_SYS_ADMIN); return false; }