selinux: fix a capabilities parsing typo in selinux_bpf_token_capable()

pcmoore · pcmoore · commit b07b6f0c5d27 · 2026-01-14T16:15:09.000-05:00
There was a typo, likely a cut-n-paste bug, where we were checking for SECCLASS_CAPABILITY instead of SECCLASS_CAPABILITY2. Fixes: 5473a72 ("selinux: add support for BPF token access control") Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -7260,7 +7260,7 @@ static int selinux_bpf_token_capable(const struct bpf_token *token, int cap)
 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
 		break;
 	case 1:
-		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP2_USERNS;
+		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
 		break;
 	default:
 		pr_err("SELinux:  out of range capability %d\n", cap);
