From: Paul Moore <paul@paul-moore.com>
Date: Wed, 14 Jan 2026 21:00:14 +0000 (-0500)
Subject: selinux: fix a capabilities parsing typo in selinux_bpf_token_capable()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b07b6f0c5d27fafb12ae98d889ae944d308fe9f6;p=thirdparty%2Flinux.git

selinux: fix a capabilities parsing typo in selinux_bpf_token_capable()

There was a typo, likely a cut-n-paste bug, where we were checking for
SECCLASS_CAPABILITY instead of SECCLASS_CAPABILITY2.

Fixes: 5473a722f782 ("selinux: add support for BPF token access control")
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c7c19ceeeb2f1..9289ed89a8ec8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7260,7 +7260,7 @@ static int selinux_bpf_token_capable(const struct bpf_token *token, int cap)
 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
 		break;
 	case 1:
-		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP2_USERNS;
+		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
 		break;
 	default:
 		pr_err("SELinux:  out of range capability %d\n", cap);