lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180309215705.GB56123@jaegeuk-macbookpro.roam.corp.google.com>
Date:   Fri, 9 Mar 2018 13:57:05 -0800
From:   Jaegeuk Kim <jaegeuk@...nel.org>
To:     Chao Yu <yuchao0@...wei.com>
Cc:     linux-kernel@...r.kernel.org,
        linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE

On 03/09, Chao Yu wrote:
> On 2018/3/9 12:49, Jaegeuk Kim wrote:
> > This fixes CAP_SYS_RESOURCE denial of selinux when using resgid.
> 
> A little confusion, if capable(CAP_SYS_RESOURCE) is false, we still have chance
> to return true for below resuid & resgid cases, right?

I didn't dig it deeply tho, it seems selinux log came up when capable() is
failed in the first place. We actually didn't need to show it up, since next
resgid will give mostly true.

> 
> Thanks,
> 
> > 
> > Signed-off-by: Jaegeuk Kim <jaegeuk@...nel.org>
> > ---
> >  fs/f2fs/f2fs.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> > index f6dc70666ebb..3d12277fbe9e 100644
> > --- a/fs/f2fs/f2fs.h
> > +++ b/fs/f2fs/f2fs.h
> > @@ -1607,13 +1607,13 @@ static inline bool __allow_reserved_blocks(struct f2fs_sb_info *sbi,
> >  		return false;
> >  	if (IS_NOQUOTA(inode))
> >  		return true;
> > -	if (capable(CAP_SYS_RESOURCE))
> > -		return true;
> >  	if (uid_eq(sbi->s_resuid, current_fsuid()))
> >  		return true;
> >  	if (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) &&
> >  					in_group_p(sbi->s_resgid))
> >  		return true;
> > +	if (capable(CAP_SYS_RESOURCE))
> > +		return true;
> >  	return false;
> >  }
> >  
> > 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ