Re: [RFC PATCH 2/2] capability: use new capable_or functionality

From: Alexei Starovoitov
Date: Thu Feb 17 2022 - 12:30:11 EST

Next message: Sebastian Andrzej Siewior: "Re: [PATCH v3] random: remove batched entropy locking"
Previous message: Kees Cook: "Re: [PATCH] um: Cleanup syscall_handler_t definition/cast, fix warning"
In reply to: Christian Göttsche: "[RFC PATCH 1/2] capability: add capable_or to test for multiple caps with exactly one audit message"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 17, 2022 at 6:50 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Use the new added capable_or macro in appropriate cases, where a task
> is required to have any of two capabilities.
>
> Reorder CAP_SYS_ADMIN last.
>
> TODO: split into subsystem patches.

Yes. Please.

The bpf side picked the existing order because we were aware
of that selinux issue.
Looks like there is no good order that works for all.
So the new helper makes a lot of sense.

> Fixes: 94c4b4fd25e6 ("block: Check ADMIN before NICE for IOPRIO_CLASS_RT")

Next message: Sebastian Andrzej Siewior: "Re: [PATCH v3] random: remove batched entropy locking"
Previous message: Kees Cook: "Re: [PATCH] um: Cleanup syscall_handler_t definition/cast, fix warning"
In reply to: Christian Göttsche: "[RFC PATCH 1/2] capability: add capable_or to test for multiple caps with exactly one audit message"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]