Re: [PATCH net-next] tun: fix group permission check

[Jason Wang]

On Fri, Dec 6, 2024 at 12:50 AM Willem de Bruijn
<willemdebruijn.kernel@xxxxxxxxx> wrote:
>
> Stas Sergeev wrote:
> > Currently tun checks the group permission even if the user have matched.
> > Besides going against the usual permission semantic, this has a
> > very interesting implication: if the tun group is not among the
> > supplementary groups of the tun user, then effectively no one can
> > access the tun device. CAP_SYS_ADMIN still can, but its the same as
> > not setting the tun ownership.
> >
> > This patch relaxes the group checking so that either the user match
> > or the group match is enough. This avoids the situation when no one
> > can access the device even though the ownership is properly set.
> >
> > Also I simplified the logic by removing the redundant inversions:
> > tun_not_capable() --> !tun_capable()
> >
> > Signed-off-by: Stas Sergeev <stsp2@xxxxxxxxx>
> >
> > CC: Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx>
> > CC: Jason Wang <jasowang@xxxxxxxxxx>
> > CC: Andrew Lunn <andrew+netdev@xxxxxxx>
> > CC: "David S. Miller" <davem@xxxxxxxxxxxxx>
> > CC: Eric Dumazet <edumazet@xxxxxxxxxx>
> > CC: Jakub Kicinski <kuba@xxxxxxxxxx>
> > CC: Paolo Abeni <pabeni@xxxxxxxxxx>
> > CC: netdev@xxxxxxxxxxxxxxx
> > CC: linux-kernel@xxxxxxxxxxxxxxx
>
> Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>
>
> A lot more readable this way too.
>

Acked-by: Jason Wang <jasowang@xxxxxxxxxx>

Thanks