net-ipv6: IPV6_TRANSPARENT - check NET_RAW prior to NET_ADMIN

NET_RAW is less dangerous, so more likely to be available to a process,
so check it first to prevent some spurious logging.

This matches IP_TRANSPARENT which checks NET_RAW first.

Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 264c292..79fc012 100644 (file)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -363,8 +363,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                break;
 
        case IPV6_TRANSPARENT:
-               if (valbool && !ns_capable(net->user_ns, CAP_NET_ADMIN) &&
-                   !ns_capable(net->user_ns, CAP_NET_RAW)) {
+               if (valbool && !ns_capable(net->user_ns, CAP_NET_RAW) &&
+                   !ns_capable(net->user_ns, CAP_NET_ADMIN)) {
                        retv = -EPERM;
                        break;
                }