* [PATCH] block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE
@ 2020-08-24 20:45 Khazhismel Kumykov
2020-08-24 20:48 ` Khazhismel Kumykov
0 siblings, 1 reply; 2+ messages in thread
From: Khazhismel Kumykov @ 2020-08-24 20:45 UTC (permalink / raw)
To: Jens Axboe
Cc: Serge Hallyn, Paolo Valente, Bart Van Assche, linux-block,
linux-kernel, linux-security-module, Khazhismel Kumykov
CAP_SYS_ADMIN is too broad, and ionice fits into CAP_SYS_NICE's grouping.
Retain CAP_SYS_ADMIN permission for backwards compatibility.
Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
---
block/ioprio.c | 2 +-
include/uapi/linux/capability.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/block/ioprio.c b/block/ioprio.c
index 77bcab11dce5..4572456430f9 100644
--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio)
switch (class) {
case IOPRIO_CLASS_RT:
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_NICE))
return -EPERM;
/* fall through */
/* rt has prio field too */
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 395dd0df8d08..c6ca33034147 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -288,6 +288,8 @@ struct vfs_ns_cap_data {
processes and setting the scheduling algorithm used by another
process. */
/* Allow setting cpu affinity on other processes */
+/* Allow setting realtime ioprio class */
+/* Allow setting ioprio class on other processes */
#define CAP_SYS_NICE 23
--
2.28.0.297.g1956fa8f8d-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE
2020-08-24 20:45 [PATCH] block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE Khazhismel Kumykov
@ 2020-08-24 20:48 ` Khazhismel Kumykov
0 siblings, 0 replies; 2+ messages in thread
From: Khazhismel Kumykov @ 2020-08-24 20:48 UTC (permalink / raw)
To: Jens Axboe
Cc: Serge Hallyn, Paolo Valente, Bart Van Assche, linux-block,
Linux Kernel Mailing List, linux-security-module
[-- Attachment #1: Type: text/plain, Size: 1557 bytes --]
On Mon, Aug 24, 2020 at 1:45 PM Khazhismel Kumykov <khazhy@google.com> wrote:
>
> CAP_SYS_ADMIN is too broad, and ionice fits into CAP_SYS_NICE's grouping.
>
> Retain CAP_SYS_ADMIN permission for backwards compatibility.
>
> Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
> ---
> block/ioprio.c | 2 +-
> include/uapi/linux/capability.h | 2 ++
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/block/ioprio.c b/block/ioprio.c
> index 77bcab11dce5..4572456430f9 100644
> --- a/block/ioprio.c
> +++ b/block/ioprio.c
> @@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio)
>
> switch (class) {
> case IOPRIO_CLASS_RT:
> - if (!capable(CAP_SYS_ADMIN))
> + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_NICE))
yikes, sorry for the spam
> return -EPERM;
> /* fall through */
> /* rt has prio field too */
> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
> index 395dd0df8d08..c6ca33034147 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -288,6 +288,8 @@ struct vfs_ns_cap_data {
> processes and setting the scheduling algorithm used by another
> process. */
> /* Allow setting cpu affinity on other processes */
> +/* Allow setting realtime ioprio class */
> +/* Allow setting ioprio class on other processes */
>
> #define CAP_SYS_NICE 23
>
> --
> 2.28.0.297.g1956fa8f8d-goog
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3850 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-08-24 20:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-24 20:45 [PATCH] block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE Khazhismel Kumykov
2020-08-24 20:48 ` Khazhismel Kumykov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.