Message ID | 20230511142535.732324-4-cgzones@googlemail.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | None | expand |
On Thu, May 11, 2023 at 04:25:27PM +0200, Christian Göttsche wrote: > Use the new added capable_any function in appropriate cases, where a > task is required to have any of two capabilities. What is this new function and why should we using it? Your also forgot to Cc the block list on the entire series, making this page completely unreviewable.
On Thu, 11 May 2023 at 17:35, Christoph Hellwig <hch@infradead.org> wrote: > > On Thu, May 11, 2023 at 04:25:27PM +0200, Christian Göttsche wrote: > > Use the new added capable_any function in appropriate cases, where a > > task is required to have any of two capabilities. > > What is this new function and why should we using it? Quoting the description from https://lore.kernel.org/all/20230511142535.732324-10-cgzones@googlemail.com/ : Add the interfaces `capable_any()` and `ns_capable_any()` as an alternative to multiple `capable()`/`ns_capable()` calls, like `capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of `capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`. `capable_any()`/`ns_capable_any()` will in particular generate exactly one audit message, either for the left most capability in effect or, if the task has none, the first one. This is especially helpful with regard to SELinux, where each audit message about a not allowed capability request will create a denial message. Using this new wrapper with the least invasive capability as left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables policy writers to only grant the least invasive one for the particular subject instead of both. > Your also forgot to Cc the block list on the entire series, making this > page completely unreviewable.
diff --git a/block/ioprio.c b/block/ioprio.c index 32a456b45804..0a7df88bf6d9 100644 --- a/block/ioprio.c +++ b/block/ioprio.c @@ -37,14 +37,7 @@ int ioprio_check_cap(int ioprio) switch (class) { case IOPRIO_CLASS_RT: - /* - * Originally this only checked for CAP_SYS_ADMIN, - * which was implicitly allowed for pid 0 by security - * modules such as SELinux. Make sure we check - * CAP_SYS_ADMIN first to avoid a denial/avc for - * possibly missing CAP_SYS_NICE permission. - */ - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE)) + if (!capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)) return -EPERM; fallthrough; /* rt has prio field too */
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Reorder CAP_SYS_ADMIN last. Fixes: 94c4b4fd25e6 ("block: Check ADMIN before NICE for IOPRIO_CLASS_RT") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v3: rename to capable_any() --- block/ioprio.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-)