From patchwork Thu Nov 21 21:19:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Maciej_=C5=BBenczykowski?= X-Patchwork-Id: 1199140 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ruly4/nS"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47JsrW3LZkz9sPJ for ; Fri, 22 Nov 2019 08:19:22 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726541AbfKUVTV (ORCPT ); Thu, 21 Nov 2019 16:19:21 -0500 Received: from mail-pj1-f67.google.com ([209.85.216.67]:36276 "EHLO mail-pj1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726080AbfKUVTV (ORCPT ); Thu, 21 Nov 2019 16:19:21 -0500 Received: by mail-pj1-f67.google.com with SMTP id cq11so2080928pjb.3 for ; Thu, 21 Nov 2019 13:19:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UHDIZ71LoHne5AiJ7I84KDJ26EIVE8CZ/k6+hUCaAe4=; b=ruly4/nSvxmnvM/MMmuXwnAMZ3/Pa4V1RyJQoWftk3fsX7Lo0o7Yg4+ElMspy1zp7q r7hbB3LOJjMrdXFsbSf1Z3LhsA7SdMPfS42GRkXw4K8FQKO9ffZ/E8aBWZeH/LdCd2N8 IeeBexkoaaklpszF/7l4cayJtroeLiDjgpHIX4oHkR6yn5ZlYx8vgSKN51oR7xvLVz6t VLDqjaeX8Ua69B7q8qsdNlMA/bDyoYBIPXb/jxNtse1nU5fCYaDrznsZhgZ9/KDxmkoQ xsGdmrH4Cu9PjiUZ5daa8hElFuuRaTPswzPvN1wtEA7GKNPUYStcv9G/W8akjf3zI6LN gihg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UHDIZ71LoHne5AiJ7I84KDJ26EIVE8CZ/k6+hUCaAe4=; b=OAvSfHW1OyOMTWSnurnZlcqMkL5gsRYr8JoZsQ8VuTK/phlwuSSPur3OcWGGiH7CGF 3sEdC0wwybtFl4TRDnKNHr3p24GzkNVF88H2KxVpTCk/ImDhfsJvXJRBRqN3/Bc+++/S IdhTXHuGbPUq5YVkuVSJ9TAm+9j0pqGvaAqPxDyNDsw8EX20Hvggb/vdTSTiNkBvrdO+ iGrz/rKM/6DWnHWdJD1yg75wSVUmemqelx3uW0Qb4xlK2Ykcz75qY0k2RnjKqimZZ3HY 5R6LNblFED5AMbIweOoy/Se6soPjHlDWXD/UZEDAz8EtIJ76tKEurJ2P1AsDllS8LOzo oc9Q== X-Gm-Message-State: APjAAAWRzhnqaFQPzPJj03tpjNgRYRXWVFg1+PyIRe5Xp4NGKZh8zjzY B3E37kTN6aUkAyKlqPBYcSE= X-Google-Smtp-Source: APXvYqxCLgHKgPJyTe817QPxZlmHhIyXC7g2Fe+oqtG0f89+1I0OHVMotMxmlvN4Q3/TJcPOIbp8DQ== X-Received: by 2002:a17:902:a508:: with SMTP id s8mr10732506plq.26.1574371160650; Thu, 21 Nov 2019 13:19:20 -0800 (PST) Received: from athina.mtv.corp.google.com ([2620:15c:211:0:c786:d9fd:ab91:6283]) by smtp.gmail.com with ESMTPSA id 13sm4142170pgu.53.2019.11.21.13.19.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Nov 2019 13:19:19 -0800 (PST) From: =?utf-8?q?Maciej_=C5=BBenczykowski?= To: =?utf-8?q?Maciej_=C5=BBenczykowski?= , "David S . Miller" Cc: netdev@vger.kernel.org Subject: [PATCH] net-ipv6: IPV6_TRANSPARENT - check NET_RAW prior to NET_ADMIN Date: Thu, 21 Nov 2019 13:19:08 -0800 Message-Id: <20191121211908.64187-1-zenczykowski@gmail.com> X-Mailer: git-send-email 2.24.0.432.g9d3f5f5b63-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Maciej Żenczykowski NET_RAW is less dangerous, so more likely to be available to a process, so check it first to prevent some spurious logging. This matches IP_TRANSPARENT which checks NET_RAW first. Signed-off-by: Maciej Żenczykowski --- net/ipv6/ipv6_sockglue.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 264c292e7dcc..79fc012dd2ca 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -363,8 +363,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, break; case IPV6_TRANSPARENT: - if (valbool && !ns_capable(net->user_ns, CAP_NET_ADMIN) && - !ns_capable(net->user_ns, CAP_NET_RAW)) { + if (valbool && !ns_capable(net->user_ns, CAP_NET_RAW) && + !ns_capable(net->user_ns, CAP_NET_ADMIN)) { retv = -EPERM; break; }