From patchwork Sun Mar 2 16:06:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13997870 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B37FDC19F32 for ; Sun, 2 Mar 2025 16:07:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A58006B007B; Sun, 2 Mar 2025 11:07:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9E0E46B0083; Sun, 2 Mar 2025 11:07:10 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 882376B0085; Sun, 2 Mar 2025 11:07:10 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 663C36B007B for ; Sun, 2 Mar 2025 11:07:10 -0500 (EST) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id D6F2FA0AD2 for ; Sun, 2 Mar 2025 16:07:09 +0000 (UTC) X-FDA: 83177090178.30.7CDF877 Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) by imf06.hostedemail.com (Postfix) with ESMTP id B7A55180002 for ; Sun, 2 Mar 2025 16:07:07 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=seltendoof.de header.s=2023072701 header.b=SdoKH+0E; dmarc=pass (policy=reject) header.from=seltendoof.de; spf=pass (imf06.hostedemail.com: domain of cgoettsche@seltendoof.de designates 168.119.48.163 as permitted sender) smtp.mailfrom=cgoettsche@seltendoof.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740931628; a=rsa-sha256; cv=none; b=ffwzrY7L6nWTvIIptcBDHXZ1/k79Wk0Fc5ncyP1AsVhk8S3r8aUHiULdgtrdOmhhw0Cm6v cjSKzJbdsTsG0AxKt00Pn0ntqQ66WVJZH5AtDKoW6KCtp9g+koRSdemghJsFK9bfYOOvJO DdibFPNnacOb7c4+n+TAL2K3Dp9cpZ0= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=seltendoof.de header.s=2023072701 header.b=SdoKH+0E; dmarc=pass (policy=reject) header.from=seltendoof.de; spf=pass (imf06.hostedemail.com: domain of cgoettsche@seltendoof.de designates 168.119.48.163 as permitted sender) smtp.mailfrom=cgoettsche@seltendoof.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740931628; h=from:from:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=psW6cnDKJDfMxUnzR9ln5khjNnX+9pHtPh2iqMJCG30=; b=7aKT9cgjEAsrciPkxM5kLYs5J6/t5Si4ViPtkGeIyiarFBNLrDL9SYaxjd3n7xv6+7kBFx eR/Gh4EdnsRP35Ooz2501lB7dNcjC66LOb49zG6CjH1o/fhg/uPvk5cMO18FsdcGIdN7na uk8AtT+dRM/EsbgzGtF7OgfogGzlGgI= From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1740931625; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=psW6cnDKJDfMxUnzR9ln5khjNnX+9pHtPh2iqMJCG30=; b=SdoKH+0EzYCBj4vtLHksHZyyUfjYZYKyFPGkljGjoi+IHVmwQJ3uge+Qp04jAU2zNFI1/r Dekh52KkrWPJJMvDFFExflW3hppm4mZV0sc15sZZK2HTv6+l5y3KhSCzHU3A5o3qYyULJv MZwMwXtHFShVOr28DbUn+7Ftijj5pjZb7fJH/BtLcuuvkqUnFqwiabiztFppznggEGbSmA 6hd3QK1owK3/DJH0JeVy9v3vUAT3hZv04FH+cEaTKd7APURmHNhTWRbHEhkSKYohna2m0j Ej2/5LFCvfcNkzt4mOEXcBtGX4Dy+dqNKXoJTGBtjw9zV0U+RefdjINmHf0O+Q== To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Serge Hallyn , Jan Kara , Julia Lawall , Nicolas Palix , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, cocci@inria.fr, Muchun Song , linux-mm@kvack.org Subject: [PATCH v2 04/11] hugetlbfs: reorder capability check last Date: Sun, 2 Mar 2025 17:06:40 +0100 Message-ID: <20250302160657.127253-3-cgoettsche@seltendoof.de> In-Reply-To: <20250302160657.127253-1-cgoettsche@seltendoof.de> References: <20250302160657.127253-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: B7A55180002 X-Stat-Signature: o89pzr6nf9o8nafe1441c1epcfapyjpm X-HE-Tag: 1740931627-277591 X-HE-Meta: U2FsdGVkX18EvtnkPJNxQRDlP+PpR9Hdzk8TTx5/1drJ/v/fO7imQ5n6P7yV+rkr6v6ecuUBBx035EMzHT8SXt9ic9X6jJ5m1Ye7OabI8lEGOfSU8tJ9lkDyzYgzGsKM5f9/VloOcLABZycZg1jE8B7tm5BH+bffI/k/V3tz9dttZvxPggLat18pMqQYDHMvbmzMBvprit94tM2Ih2YVz0u7bzKRiHGfh/e412T60Nt22cN7ot/J6/ABpSql+7xqA39iP5CUarUY/0ujBzZCiX78dhFy7PEhluKL0m8/iMMZP4XrEu+MPBX4s9+mqy9BgJeqUtj0JPk1IwsWRPXBa/YZ4WLYmh6l3zGOvxeeopoD14Ml7Zg/9Ofvd3oHtefoaUeprRbTTzMnniuTugAi4FMM7gn0FD7MILcSF1cUDCYFzcNcNoXylrpyIJC6a8g2XcxQzQ5YqBIYEIZOult6wdhWsd/w21af5qlS6+5tsntOuUvzSe7aC+KEAMnkxVYAn48rebWLZdyXA0eFxtsstNMtQDl6hxB3OKOT1LGW+6ROlQVlTxG4BTh6jqG1CvowdGz964ls/UNocZWJ5R0fFZXMc3Co3cnMHiI9egE3mcKt7IJG5n11OH8jFvwVZgvwisJF5fLU0Vgsig6KBH+FDI1QVIwX4xSMq087Kf55j5Yz9AKF7QlDhC5JPN3yWGPQTiKxWsxukaWsN+Fvhjd/CJBGwr7OVoGX1moe22O3qjafVyoVKyOisbeARrRfMP46URZj1i9cCckuDk0JJa8Tipankb6F2IrDF6l1c2ef7Nv3xNFgwgX60MDt2zMb81U6b7SnJBNAdAncldYBauK8caK8N3sMnnXN7DwsnfiP6kZdJlRbstkvmXCXe2pHevDqtl8Z6I0d4UmXKcWmMaD8T4/fw1qasEHVDRM49CpAvBoH1ZxO1uZqOsTIfYi8KqFjLSg69jJVmS/I5OZyvw4 eN0nrlyp zwK7/M3FntGHXVkMX6OWI82dObu07jFREZlHqDuX6RRrJl7QKsJBkfQuN4/p+botp+SWdw29pacJiJDyMXVl0l+ig8Thbll75pUv/WVNJduh68sJaeUmSRhOMlgFg58Rmc7NkgE2CD+dBeLCtTjXgUOfWsS66jqPcOANqYFLHy6cwyQCjo4KvYs0UVo48rM6/6glTuyht1v/DGw1R6QzE21WrB/tzfaIe59VDsRS3s4eoAe+w6G0DwuYzz6ywSCnmTqYNu5euU5HnM2yYgwUHAwpakgN0eb28tX/g6SiCTMkur6Z5LNwcLVXx4/qTErPJFY2ljxbs6xqC+/ukMjlkIv4N5gRwcG/y4RzRuV5ikMzabxC0CrTobJfkuXzfGd2JqXIKChM8X7jduscb/CVDVTvIqbQopZhZtiojBuSgJXPvD/sZ9xueRxJkJEYv18Q8JiorCZ+YFK37+5hE9qDusbGO2eqFJ0l3mlqcM7WcaS0+xcZNl31Yp3NsSL9HbpwmsfLkiAqwkLb2pzMpiGy+W/j08aWl0YFN7XgFYA7SImps+dvTzB7ZOCZgWQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Christian Göttsche capable() calls refer to enabled LSMs whether to permit or deny the request. This is relevant in connection with SELinux, where a capability check results in a policy decision and by default a denial message on insufficient permission is issued. It can lead to three undesired cases: 1. A denial message is generated, even in case the operation was an unprivileged one and thus the syscall succeeded, creating noise. 2. To avoid the noise from 1. the policy writer adds a rule to ignore those denial messages, hiding future syscalls, where the task performs an actual privileged operation, leading to hidden limited functionality of that task. 3. To avoid the noise from 1. the policy writer adds a rule to permit the task the requested capability, while it does not need it, violating the principle of least privilege. Signed-off-by: Christian Göttsche Reviewed-by: Serge Hallyn --- fs/hugetlbfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 0fc179a59830..e36b0e6df720 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -1503,7 +1503,7 @@ static int can_do_hugetlb_shm(void) { kgid_t shm_group; shm_group = make_kgid(&init_user_ns, sysctl_hugetlb_shm_group); - return capable(CAP_IPC_LOCK) || in_group_p(shm_group); + return in_group_p(shm_group) || capable(CAP_IPC_LOCK); } static int get_hstate_idx(int page_size_log)