[PATCH 05/10] drivers: use new capable

public inbox for linux-s390@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 05/10] drivers: use new capable_any functionality
       [not found] <20240315113828.258005-1-cgzones@googlemail.com>
@ 2024-03-15 11:37 ` Christian Göttsche
  2024-03-15 15:03   ` Felix Kuehling
  0 siblings, 1 reply; 2+ messages in thread
From: Christian Göttsche @ 2024-03-15 11:37 UTC (permalink / raw)
  To: linux-security-module
  Cc: Alexander Gordeev, Felix Kuehling, Alex Deucher,
	Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Stefan Haberland, Jan Hoeppner, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Sven Schnelle, Mark Brown,
	Greg Kroah-Hartman, Jiri Slaby (SUSE), amd-gfx, dri-devel,
	linux-kernel, netdev, linux-s390, bpf

Use the new added capable_any function in appropriate cases, where a
task is required to have any of two capabilities.

Reorder CAP_SYS_ADMIN last.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> (s390 portion)
---
v4:
   Additional usage in kfd_ioctl()
v3:
   rename to capable_any()
---
 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +--
 drivers/net/caif/caif_serial.c           | 2 +-
 drivers/s390/block/dasd_eckd.c           | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index dfa8c69532d4..8c7ebca01c17 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -3290,8 +3290,7 @@ static long kfd_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
 	 * more priviledged access.
 	 */
 	if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) {
-		if (!capable(CAP_CHECKPOINT_RESTORE) &&
-						!capable(CAP_SYS_ADMIN)) {
+		if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) {
 			retcode = -EACCES;
 			goto err_i1;
 		}
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index ed3a589def6b..e908b9ce57dc 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty)
 	/* No write no play */
 	if (tty->ops->write == NULL)
 		return -EOPNOTSUPP;
-	if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG))
+	if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN))
 		return -EPERM;
 
 	/* release devices to avoid name collision */
diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index 373c1a86c33e..8f9a5136306a 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -5384,7 +5384,7 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
 	char psf0, psf1;
 	int rc;
 
-	if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO))
+	if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN))
 		return -EACCES;
 	psf0 = psf1 = 0;
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 05/10] drivers: use new capable_any functionality
  2024-03-15 11:37 ` [PATCH 05/10] drivers: use new capable_any functionality Christian Göttsche
@ 2024-03-15 15:03   ` Felix Kuehling
  0 siblings, 0 replies; 2+ messages in thread
From: Felix Kuehling @ 2024-03-15 15:03 UTC (permalink / raw)
  To: Christian Göttsche, linux-security-module
  Cc: Alexander Gordeev, Alex Deucher, Christian König,
	Pan, Xinhui, David Airlie, Daniel Vetter, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Stefan Haberland,
	Jan Hoeppner, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Sven Schnelle, Mark Brown,
	Greg Kroah-Hartman, Jiri Slaby (SUSE), amd-gfx, dri-devel,
	linux-kernel, netdev, linux-s390, bpf

On 2024-03-15 7:37, Christian Göttsche wrote:
> Use the new added capable_any function in appropriate cases, where a
> task is required to have any of two capabilities.
>
> Reorder CAP_SYS_ADMIN last.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> (s390 portion)

Acked-by: Felix Kuehling <felix.kuehling@amd.com> (amdkfd portion)


> ---
> v4:
>     Additional usage in kfd_ioctl()
> v3:
>     rename to capable_any()
> ---
>   drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +--
>   drivers/net/caif/caif_serial.c           | 2 +-
>   drivers/s390/block/dasd_eckd.c           | 2 +-
>   3 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> index dfa8c69532d4..8c7ebca01c17 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> @@ -3290,8 +3290,7 @@ static long kfd_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
>   	 * more priviledged access.
>   	 */
>   	if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) {
> -		if (!capable(CAP_CHECKPOINT_RESTORE) &&
> -						!capable(CAP_SYS_ADMIN)) {
> +		if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) {
>   			retcode = -EACCES;
>   			goto err_i1;
>   		}
> diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
> index ed3a589def6b..e908b9ce57dc 100644
> --- a/drivers/net/caif/caif_serial.c
> +++ b/drivers/net/caif/caif_serial.c
> @@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty)
>   	/* No write no play */
>   	if (tty->ops->write == NULL)
>   		return -EOPNOTSUPP;
> -	if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG))
> +	if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN))
>   		return -EPERM;
>   
>   	/* release devices to avoid name collision */
> diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
> index 373c1a86c33e..8f9a5136306a 100644
> --- a/drivers/s390/block/dasd_eckd.c
> +++ b/drivers/s390/block/dasd_eckd.c
> @@ -5384,7 +5384,7 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
>   	char psf0, psf1;
>   	int rc;
>   
> -	if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO))
> +	if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN))
>   		return -EACCES;
>   	psf0 = psf1 = 0;
>   

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-03-15 15:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20240315113828.258005-1-cgzones@googlemail.com>
2024-03-15 11:37 ` [PATCH 05/10] drivers: use new capable_any functionality Christian Göttsche
2024-03-15 15:03   ` Felix Kuehling

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox