Message ID | 20241125104011.36552-8-cgoettsche@seltendoof.de (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | None | expand |
On Mon, Nov 25, 2024 at 11:40:01AM +0100, Christian Göttsche wrote: > From: Christian Göttsche <cgzones@googlemail.com> > > capable() calls refer to enabled LSMs whether to permit or deny the > request. This is relevant in connection with SELinux, where a > capability check results in a policy decision and by default a denial > message on insufficient permission is issued. > It can lead to three undesired cases: > 1. A denial message is generated, even in case the operation was an > unprivileged one and thus the syscall succeeded, creating noise. > 2. To avoid the noise from 1. the policy writer adds a rule to ignore > those denial messages, hiding future syscalls, where the task > performs an actual privileged operation, leading to hidden limited > functionality of that task. > 3. To avoid the noise from 1. the policy writer adds a rule to permit > the task the requested capability, while it does not need it, > violating the principle of least privilege. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- Reviewed-by: Christian Brauner <brauner@kernel.org>
diff --git a/fs/fhandle.c b/fs/fhandle.c index 5f801139358e..01b3e14e07de 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -265,9 +265,9 @@ static inline bool may_decode_fh(struct handle_to_path_ctx *ctx, if (ns_capable(root->mnt->mnt_sb->s_user_ns, CAP_SYS_ADMIN)) ctx->flags = HANDLE_CHECK_PERMS; else if (is_mounted(root->mnt) && + !has_locked_children(real_mount(root->mnt), root->dentry) && ns_capable(real_mount(root->mnt)->mnt_ns->user_ns, - CAP_SYS_ADMIN) && - !has_locked_children(real_mount(root->mnt), root->dentry)) + CAP_SYS_ADMIN)) ctx->flags = HANDLE_CHECK_PERMS | HANDLE_CHECK_SUBTREE; else return false;