Re: [PATCH net-next] tun: fix group permission check

[Willem de Bruijn]

Stas Sergeev wrote:
> Currently tun checks the group permission even if the user have matched.
> Besides going against the usual permission semantic, this has a
> very interesting implication: if the tun group is not among the
> supplementary groups of the tun user, then effectively no one can
> access the tun device. CAP_SYS_ADMIN still can, but its the same as
> not setting the tun ownership.
> 
> This patch relaxes the group checking so that either the user match
> or the group match is enough. This avoids the situation when no one
> can access the device even though the ownership is properly set.
> 
> Also I simplified the logic by removing the redundant inversions:
> tun_not_capable() --> !tun_capable()
> 
> Signed-off-by: Stas Sergeev <stsp2@xxxxxxxxx>
> 
> CC: Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx>
> CC: Jason Wang <jasowang@xxxxxxxxxx>
> CC: Andrew Lunn <andrew+netdev@xxxxxxx>
> CC: "David S. Miller" <davem@xxxxxxxxxxxxx>
> CC: Eric Dumazet <edumazet@xxxxxxxxxx>
> CC: Jakub Kicinski <kuba@xxxxxxxxxx>
> CC: Paolo Abeni <pabeni@xxxxxxxxxx>
> CC: netdev@xxxxxxxxxxxxxxx
> CC: linux-kernel@xxxxxxxxxxxxxxx

Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>

A lot more readable this way too.