| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Mar 2018 13:57:05 -0800
From: Jaegeuk Kim <jaegeuk@...nel.org>
To: Chao Yu <yuchao0@...wei.com>
Cc: linux-kernel@...r.kernel.org,
linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [PATCH] f2fs: avoid selinux denial on CAP_SYS_RESOURCE
On 03/09, Chao Yu wrote:
> On 2018/3/9 12:49, Jaegeuk Kim wrote:
> > This fixes CAP_SYS_RESOURCE denial of selinux when using resgid.
>
> A little confusion, if capable(CAP_SYS_RESOURCE) is false, we still have chance
> to return true for below resuid & resgid cases, right?
I didn't dig it deeply tho, it seems selinux log came up when capable() is
failed in the first place. We actually didn't need to show it up, since next
resgid will give mostly true.
>
> Thanks,
>
> >
> > Signed-off-by: Jaegeuk Kim <jaegeuk@...nel.org>
> > ---
> > fs/f2fs/f2fs.h | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> > index f6dc70666ebb..3d12277fbe9e 100644
> > --- a/fs/f2fs/f2fs.h
> > +++ b/fs/f2fs/f2fs.h
> > @@ -1607,13 +1607,13 @@ static inline bool __allow_reserved_blocks(struct f2fs_sb_info *sbi,
> > return false;
> > if (IS_NOQUOTA(inode))
> > return true;
> > - if (capable(CAP_SYS_RESOURCE))
> > - return true;
> > if (uid_eq(sbi->s_resuid, current_fsuid()))
> > return true;
> > if (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) &&
> > in_group_p(sbi->s_resgid))
> > return true;
> > + if (capable(CAP_SYS_RESOURCE))
> > + return true;
> > return false;
> > }
> >
> >
Powered by blists - more mailing lists