1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/bpf.h>
3 #include <bpf/bpf_helpers.h>
4 #include <bpf/bpf_tracing.h>
5 #include <errno.h>
6 #include <linux/capability.h>
7 
8 struct kernel_cap_struct {
9 	__u64 val;
10 } __attribute__((preserve_access_index));
11 
12 struct cred {
13 	struct kernel_cap_struct cap_effective;
14 } __attribute__((preserve_access_index));
15 
16 char _license[] SEC("license") = "GPL";
17 
18 SEC("lsm.s/userns_create")
19 int BPF_PROG(test_userns_create, const struct cred *cred, int ret)
20 {
21 	struct kernel_cap_struct caps = cred->cap_effective;
22 	__u64 cap_mask = BIT_LL(CAP_SYS_ADMIN);
23 
24 	if (ret)
25 		return 0;
26 
27 	ret = -EPERM;
28 	if (caps.val & cap_mask)
29 		return 0;
30 
31 	return -EPERM;
32 }
33