From: Ondrej Mosnacek <omosnace@redhat.com>
To: "Darrick J . Wong" <darrick.wong@oracle.com>, linux-xfs@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: [PATCH] xfs: use has_capability_noaudit() instead of capable() where appropriate
Date: Tue, 16 Mar 2021 18:32:26 +0100 [thread overview]
Message-ID: <20210316173226.2220046-1-omosnace@redhat.com> (raw)
In cases when a negative result of a capability check doesn't lead to an
immediate, user-visible error, only a subtle difference in behavior, it
is better to use has_capability_noaudit(current, ...), so that LSMs
(e.g. SELinux) don't generate a denial record in the audit log each time
the capability status is queried. This patch should cover all such cases
in fs/xfs/.
Note that I kept the capable(CAP_FSETID) checks, since these will only
be executed if the user explicitly tries to set the SUID/SGID bit, and
it likely makes sense to log such attempts even if the syscall doesn't
fail and just ignores the bits.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
fs/xfs/xfs_fsmap.c | 4 ++--
fs/xfs/xfs_ioctl.c | 5 ++++-
fs/xfs/xfs_iops.c | 6 ++++--
fs/xfs/xfs_xattr.c | 2 +-
4 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 9ce5e7d5bf8f..14672e7ee535 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -842,8 +842,8 @@ xfs_getfsmap(
!xfs_getfsmap_is_valid_device(mp, &head->fmh_keys[1]))
return -EINVAL;
- use_rmap = capable(CAP_SYS_ADMIN) &&
- xfs_sb_version_hasrmapbt(&mp->m_sb);
+ use_rmap = xfs_sb_version_hasrmapbt(&mp->m_sb) &&
+ has_capability_noaudit(current, CAP_SYS_ADMIN);
head->fmh_entries = 0;
/* Set up our device handlers. */
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 3fbd98f61ea5..3cfc1a25069c 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1470,8 +1470,11 @@ xfs_ioctl_setattr(
if (XFS_IS_QUOTA_RUNNING(mp) && XFS_IS_PQUOTA_ON(mp) &&
ip->i_d.di_projid != fa->fsx_projid) {
+ int flags = has_capability_noaudit(current, CAP_FOWNER) ?
+ XFS_QMOPT_FORCE_RES : 0;
+
code = xfs_qm_vop_chown_reserve(tp, ip, NULL, NULL, pdqp,
- capable(CAP_FOWNER) ? XFS_QMOPT_FORCE_RES : 0);
+ flags);
if (code) /* out of quota */
goto error_trans_cancel;
}
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 67c8dc9de8aa..abbb417c4fbd 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -729,10 +729,12 @@ xfs_setattr_nonsize(
if (XFS_IS_QUOTA_RUNNING(mp) &&
((XFS_IS_UQUOTA_ON(mp) && !uid_eq(iuid, uid)) ||
(XFS_IS_GQUOTA_ON(mp) && !gid_eq(igid, gid)))) {
+ int flags = has_capability_noaudit(current, CAP_FOWNER) ?
+ XFS_QMOPT_FORCE_RES : 0;
+
ASSERT(tp);
error = xfs_qm_vop_chown_reserve(tp, ip, udqp, gdqp,
- NULL, capable(CAP_FOWNER) ?
- XFS_QMOPT_FORCE_RES : 0);
+ NULL, flags);
if (error) /* out of quota */
goto out_cancel;
}
diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c
index bca48b308c02..a99d19c2c11f 100644
--- a/fs/xfs/xfs_xattr.c
+++ b/fs/xfs/xfs_xattr.c
@@ -164,7 +164,7 @@ xfs_xattr_put_listent(
* Only show root namespace entries if we are actually allowed to
* see them.
*/
- if (!capable(CAP_SYS_ADMIN))
+ if (!has_capability_noaudit(current, CAP_SYS_ADMIN))
return;
prefix = XATTR_TRUSTED_PREFIX;
--
2.30.2
next reply other threads:[~2021-03-16 17:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 17:32 Ondrej Mosnacek [this message]
2021-03-16 20:50 ` [PATCH] xfs: use has_capability_noaudit() instead of capable() where appropriate Dave Chinner
2021-03-18 9:51 ` Ondrej Mosnacek
2021-03-19 6:00 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210316173226.2220046-1-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=darrick.wong@oracle.com \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).