1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #include <linux/bpf.h> |
3 | #include <bpf/bpf_helpers.h> |
4 | #include <bpf/bpf_tracing.h> |
5 | #include <errno.h> |
6 | #include <linux/capability.h> |
7 | |
8 | typedef struct { unsigned long long val; } kernel_cap_t; |
9 | |
10 | struct cred { |
11 | kernel_cap_t cap_effective; |
12 | } __attribute__((preserve_access_index)); |
13 | |
14 | char _license[] SEC("license" ) = "GPL" ; |
15 | |
16 | SEC("lsm.s/userns_create" ) |
17 | int BPF_PROG(test_userns_create, const struct cred *cred, int ret) |
18 | { |
19 | kernel_cap_t caps = cred->cap_effective; |
20 | __u64 cap_mask = 1ULL << CAP_SYS_ADMIN; |
21 | |
22 | if (ret) |
23 | return 0; |
24 | |
25 | ret = -EPERM; |
26 | if (caps.val & cap_mask) |
27 | return 0; |
28 | |
29 | return -EPERM; |
30 | } |
31 | |