diff mbox series

[v4,4/9] block: use new capable_any functionality

Message ID 20230511142535.732324-4-cgzones@googlemail.com (mailing list archive)
State Handled Elsewhere
Delegated to: Paul Moore
Headers show
Series [v4,1/9] capability: introduce new capable flag NODENYAUDIT | expand

Commit Message

Christian Göttsche May 11, 2023, 2:25 p.m. UTC 
Use the new added capable_any function in appropriate cases, where a
task is required to have any of two capabilities.

Reorder CAP_SYS_ADMIN last.

Fixes: 94c4b4fd25e6 ("block: Check ADMIN before NICE for IOPRIO_CLASS_RT")

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
   rename to capable_any()
---
 block/ioprio.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

Comments

Christoph Hellwig May 11, 2023, 3:35 p.m. UTC | #1 
On Thu, May 11, 2023 at 04:25:27PM +0200, Christian Göttsche wrote:
> Use the new added capable_any function in appropriate cases, where a
> task is required to have any of two capabilities.

What is this new function and why should we using it?

Your also forgot to Cc the block list on the entire series, making this
page completely unreviewable.
Christian Göttsche May 11, 2023, 4:53 p.m. UTC | #2 
On Thu, 11 May 2023 at 17:35, Christoph Hellwig <hch@infradead.org> wrote:
>
> On Thu, May 11, 2023 at 04:25:27PM +0200, Christian Göttsche wrote:
> > Use the new added capable_any function in appropriate cases, where a
> > task is required to have any of two capabilities.
>
> What is this new function and why should we using it?

Quoting the description from
https://lore.kernel.org/all/20230511142535.732324-10-cgzones@googlemail.com/
:

Add the interfaces `capable_any()` and `ns_capable_any()` as an
alternative to multiple `capable()`/`ns_capable()` calls, like
`capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of
`capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`.

`capable_any()`/`ns_capable_any()` will in particular generate exactly
one audit message, either for the left most capability in effect or, if
the task has none, the first one.

This is especially helpful with regard to SELinux, where each audit
message about a not allowed capability request will create a denial
message.  Using this new wrapper with the least invasive capability as
left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables
policy writers to only grant the least invasive one for the particular
subject instead of both.

> Your also forgot to Cc the block list on the entire series, making this
> page completely unreviewable.
diff mbox series

Patch

diff --git a/block/ioprio.c b/block/ioprio.c
index 32a456b45804..0a7df88bf6d9 100644
--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -37,14 +37,7 @@  int ioprio_check_cap(int ioprio)
 
 	switch (class) {
 		case IOPRIO_CLASS_RT:
-			/*
-			 * Originally this only checked for CAP_SYS_ADMIN,
-			 * which was implicitly allowed for pid 0 by security
-			 * modules such as SELinux. Make sure we check
-			 * CAP_SYS_ADMIN first to avoid a denial/avc for
-			 * possibly missing CAP_SYS_NICE permission.
-			 */
-			if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE))
+			if (!capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN))
 				return -EPERM;
 			fallthrough;
 			/* rt has prio field too */