net-ipv6: IPV6_TRANSPARENT - check NET_RAW prior to NET_ADMIN

NET_RAW is less dangerous, so more likely to be available to a process,
so check it first to prevent some spurious logging.

This matches IP_TRANSPARENT which checks NET_RAW first.

Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 264c292e7dcc479b0020a9c712291fac73ae3a06..79fc012dd2cae44b69057c168037b018775d1f49 100644 (file)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -363,8 +363,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                break;
 
        case IPV6_TRANSPARENT:
-               if (valbool && !ns_capable(net->user_ns, CAP_NET_ADMIN) &&
-                   !ns_capable(net->user_ns, CAP_NET_RAW)) {
+               if (valbool && !ns_capable(net->user_ns, CAP_NET_RAW) &&
+                   !ns_capable(net->user_ns, CAP_NET_ADMIN)) {
                        retv = -EPERM;
                        break;
                }