From: Bart Van Assche <bvanassche@acm.org>
To: Alistair Delva <adelva@google.com>, linux-kernel@vger.kernel.org
Cc: Khazhismel Kumykov <khazhy@google.com>,
Serge Hallyn <serge@hallyn.com>, Jens Axboe <axboe@kernel.dk>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Moore <paul@paul-moore.com>,
selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
kernel-team@android.com, stable@vger.kernel.org
Subject: Re: [PATCH v2] block: Check ADMIN before NICE for IOPRIO_CLASS_RT
Date: Mon, 15 Nov 2021 10:40:00 -0800 [thread overview]
Message-ID: <da032e9f-0b95-f517-6e3c-647668fd823f@acm.org> (raw)
In-Reply-To: <20211115181655.3608659-1-adelva@google.com>
On 11/15/21 10:16 AM, Alistair Delva wrote:
> Booting to Android userspace on 5.14 or newer triggers the following
> SELinux denial:
>
> avc: denied { sys_nice } for comm="init" capability=23
> scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability
> permissive=0
>
> Init is PID 0 running as root, so it already has CAP_SYS_ADMIN. For
> better compatibility with older SEPolicy, check ADMIN before NICE.
>
> Fixes: 9d3a39a5f1e4 ("block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE")
> Signed-off-by: Alistair Delva <adelva@google.com>
> Cc: Khazhismel Kumykov <khazhy@google.com>
> Cc: Bart Van Assche <bvanassche@acm.org>
> Cc: Serge Hallyn <serge@hallyn.com>
> Cc: Jens Axboe <axboe@kernel.dk>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: selinux@vger.kernel.org
> Cc: linux-security-module@vger.kernel.org
> Cc: kernel-team@android.com
> Cc: stable@vger.kernel.org # v5.14+
> ---
> v2: added comment requested by Jens
> block/ioprio.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/block/ioprio.c b/block/ioprio.c
> index 0e4ff245f2bf..313c14a70bbd 100644
> --- a/block/ioprio.c
> +++ b/block/ioprio.c
> @@ -69,7 +69,14 @@ int ioprio_check_cap(int ioprio)
>
> switch (class) {
> case IOPRIO_CLASS_RT:
> - if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN))
> + /*
> + * Originally this only checked for CAP_SYS_ADMIN,
> + * which was implicitly allowed for pid 0 by security
> + * modules such as SELinux. Make sure we check
> + * CAP_SYS_ADMIN first to avoid a denial/avc for
> + * possibly missing CAP_SYS_NICE permission.
> + */
> + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE))
> return -EPERM;
> fallthrough;
> /* rt has prio field too */
>
Are there any other SELinux policies (Fedora?) that need to be verified?
Anyway:
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
next prev parent reply other threads:[~2021-11-15 22:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-15 18:16 [PATCH v2] block: Check ADMIN before NICE for IOPRIO_CLASS_RT Alistair Delva
2021-11-15 18:40 ` Bart Van Assche [this message]
2021-11-15 19:26 ` Serge E. Hallyn
2021-11-15 21:37 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=da032e9f-0b95-f517-6e3c-647668fd823f@acm.org \
--to=bvanassche@acm.org \
--cc=adelva@google.com \
--cc=axboe@kernel.dk \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-team@android.com \
--cc=khazhy@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.