linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE
@ 2018-03-09  4:49 Jaegeuk Kim
  2018-03-09  6:22 ` Chao Yu
  0 siblings, 1 reply; 4+ messages in thread
From: Jaegeuk Kim @ 2018-03-09  4:49 UTC (permalink / raw)
  To: linux-kernel, linux-f2fs-devel; +Cc: Jaegeuk Kim

This fixes CAP_SYS_RESOURCE denial of selinux when using resgid.

Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/f2fs.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index f6dc70666ebb..3d12277fbe9e 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1607,13 +1607,13 @@ static inline bool __allow_reserved_blocks(struct f2fs_sb_info *sbi,
 		return false;
 	if (IS_NOQUOTA(inode))
 		return true;
-	if (capable(CAP_SYS_RESOURCE))
-		return true;
 	if (uid_eq(sbi->s_resuid, current_fsuid()))
 		return true;
 	if (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) &&
 					in_group_p(sbi->s_resgid))
 		return true;
+	if (capable(CAP_SYS_RESOURCE))
+		return true;
 	return false;
 }
 
-- 
2.15.0.531.g2ccb3012c9-goog

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE
  2018-03-09  4:49 [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE Jaegeuk Kim
@ 2018-03-09  6:22 ` Chao Yu
  2018-03-09 21:57   ` Jaegeuk Kim
  0 siblings, 1 reply; 4+ messages in thread
From: Chao Yu @ 2018-03-09  6:22 UTC (permalink / raw)
  To: Jaegeuk Kim, linux-kernel, linux-f2fs-devel

On 2018/3/9 12:49, Jaegeuk Kim wrote:
> This fixes CAP_SYS_RESOURCE denial of selinux when using resgid.

A little confusion, if capable(CAP_SYS_RESOURCE) is false, we still have chance
to return true for below resuid & resgid cases, right?

Thanks,

> 
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>  fs/f2fs/f2fs.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> index f6dc70666ebb..3d12277fbe9e 100644
> --- a/fs/f2fs/f2fs.h
> +++ b/fs/f2fs/f2fs.h
> @@ -1607,13 +1607,13 @@ static inline bool __allow_reserved_blocks(struct f2fs_sb_info *sbi,
>  		return false;
>  	if (IS_NOQUOTA(inode))
>  		return true;
> -	if (capable(CAP_SYS_RESOURCE))
> -		return true;
>  	if (uid_eq(sbi->s_resuid, current_fsuid()))
>  		return true;
>  	if (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) &&
>  					in_group_p(sbi->s_resgid))
>  		return true;
> +	if (capable(CAP_SYS_RESOURCE))
> +		return true;
>  	return false;
>  }
>  
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE
  2018-03-09  6:22 ` Chao Yu
@ 2018-03-09 21:57   ` Jaegeuk Kim
  2018-03-14 13:07     ` [f2fs-dev] " Chao Yu
  0 siblings, 1 reply; 4+ messages in thread
From: Jaegeuk Kim @ 2018-03-09 21:57 UTC (permalink / raw)
  To: Chao Yu; +Cc: linux-kernel, linux-f2fs-devel

On 03/09, Chao Yu wrote:
> On 2018/3/9 12:49, Jaegeuk Kim wrote:
> > This fixes CAP_SYS_RESOURCE denial of selinux when using resgid.
> 
> A little confusion, if capable(CAP_SYS_RESOURCE) is false, we still have chance
> to return true for below resuid & resgid cases, right?

I didn't dig it deeply tho, it seems selinux log came up when capable() is
failed in the first place. We actually didn't need to show it up, since next
resgid will give mostly true.

> 
> Thanks,
> 
> > 
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> > ---
> >  fs/f2fs/f2fs.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> > index f6dc70666ebb..3d12277fbe9e 100644
> > --- a/fs/f2fs/f2fs.h
> > +++ b/fs/f2fs/f2fs.h
> > @@ -1607,13 +1607,13 @@ static inline bool __allow_reserved_blocks(struct f2fs_sb_info *sbi,
> >  		return false;
> >  	if (IS_NOQUOTA(inode))
> >  		return true;
> > -	if (capable(CAP_SYS_RESOURCE))
> > -		return true;
> >  	if (uid_eq(sbi->s_resuid, current_fsuid()))
> >  		return true;
> >  	if (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) &&
> >  					in_group_p(sbi->s_resgid))
> >  		return true;
> > +	if (capable(CAP_SYS_RESOURCE))
> > +		return true;
> >  	return false;
> >  }
> >  
> > 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [f2fs-dev] [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE
  2018-03-09 21:57   ` Jaegeuk Kim
@ 2018-03-14 13:07     ` Chao Yu
  0 siblings, 0 replies; 4+ messages in thread
From: Chao Yu @ 2018-03-14 13:07 UTC (permalink / raw)
  To: Jaegeuk Kim, Chao Yu; +Cc: linux-kernel, linux-f2fs-devel

On 2018/3/10 5:57, Jaegeuk Kim wrote:
> On 03/09, Chao Yu wrote:
>> On 2018/3/9 12:49, Jaegeuk Kim wrote:
>>> This fixes CAP_SYS_RESOURCE denial of selinux when using resgid.
>>
>> A little confusion, if capable(CAP_SYS_RESOURCE) is false, we still have chance
>> to return true for below resuid & resgid cases, right?
> 
> I didn't dig it deeply tho, it seems selinux log came up when capable() is
> failed in the first place. We actually didn't need to show it up, since next
> resgid will give mostly true.

Got it, how about adding this reason into commit message? Anyway,

Reviewed-by: Chao Yu <yuchao0@huawei.com>

Thanks,

> 
>>
>> Thanks,
>>
>>>
>>> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
>>> ---
>>>  fs/f2fs/f2fs.h | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
>>> index f6dc70666ebb..3d12277fbe9e 100644
>>> --- a/fs/f2fs/f2fs.h
>>> +++ b/fs/f2fs/f2fs.h
>>> @@ -1607,13 +1607,13 @@ static inline bool __allow_reserved_blocks(struct f2fs_sb_info *sbi,
>>>  		return false;
>>>  	if (IS_NOQUOTA(inode))
>>>  		return true;
>>> -	if (capable(CAP_SYS_RESOURCE))
>>> -		return true;
>>>  	if (uid_eq(sbi->s_resuid, current_fsuid()))
>>>  		return true;
>>>  	if (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) &&
>>>  					in_group_p(sbi->s_resgid))
>>>  		return true;
>>> +	if (capable(CAP_SYS_RESOURCE))
>>> +		return true;
>>>  	return false;
>>>  }
>>>  
>>>
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-03-14 13:08 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-09  4:49 [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE Jaegeuk Kim
2018-03-09  6:22 ` Chao Yu
2018-03-09 21:57   ` Jaegeuk Kim
2018-03-14 13:07     ` [f2fs-dev] " Chao Yu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).