| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180906145936.GF27626@localhost.localdomain>
Date: Thu, 6 Sep 2018 16:59:36 +0200
From: Juri Lelli <juri.lelli@...hat.com>
To: Patrick Bellasi <patrick.bellasi@....com>
Cc: linux-kernel@...r.kernel.org, linux-pm@...r.kernel.org,
Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Tejun Heo <tj@...nel.org>,
"Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
Viresh Kumar <viresh.kumar@...aro.org>,
Vincent Guittot <vincent.guittot@...aro.org>,
Paul Turner <pjt@...gle.com>,
Quentin Perret <quentin.perret@....com>,
Dietmar Eggemann <dietmar.eggemann@....com>,
Morten Rasmussen <morten.rasmussen@....com>,
Todd Kjos <tkjos@...gle.com>,
Joel Fernandes <joelaf@...gle.com>,
Steve Muckle <smuckle@...gle.com>,
Suren Baghdasaryan <surenb@...gle.com>
Subject: Re: [PATCH v4 14/16] sched/core: uclamp: request CAP_SYS_ADMIN by
default
On 06/09/18 15:40, Patrick Bellasi wrote:
> On 04-Sep 15:47, Juri Lelli wrote:
[...]
> > Wondering if you want to fold the check below inside the
> >
> > if (user && !capable(CAP_SYS_NICE)) {
> > ...
> > }
> >
> > block. It would also save you from adding another parameter to the
> > function.
>
> So, there are two reasons for that:
>
> 1) _I think_ we don't want to depend on capable(CAP_SYS_NICE) but
> instead on capable(CAP_SYS_ADMIN)
>
> Does that make sense ?
>
> If yes, the I cannot fold it in the block you reported above
> because we will not check for users with CAP_SYS_NICE.
Ah, right, not sure though. Looks like CAP_SYS_NICE is used for settings
that relates to priorities, affinity, etc.: CPU related stuff. Since
here you are also dealing with something that seems to fall into the
same realm, it might actually fit more than CAP_SYS_ADMIN?
Now that I think more about it, would it actually make sense to allow
unpriviledged users to lower their assigned umin/umax properties if they
want? Something alike what happens for nice values or RT priorities.
> 2) Then we could move it after that block, where there is another
> set of checks with just:
>
> if (user) {
>
> We can potentially add the check there yes... but when uclamp is
> not enabled we will still perform those checks or we have to add
> some compiler guards...
>
> 3) ... or at least check for:
>
> if (attr->sched_flags & SCHED_FLAG_UTIL_CLAMP)
>
> Which is what I'm doing right after the block above (2).
>
> But, at this point, by passing in the parameter to the
> __setscheduler_uclamp() call, I get the benefits of:
>
> a) reducing uclamp specific code in the caller
> b) avoiding the checks on !CONFIG_UCLAMP_TASK build
>
> > > {
> > > int group_id[UCLAMP_CNT] = { UCLAMP_NOT_VALID };
> > > int lower_bound, upper_bound;
> > > struct uclamp_se *uc_se;
> > > int result = 0;
> > >
> > > + if (!capable(CAP_SYS_ADMIN) &&
> > > + user && !uclamp_user_allowed) {
> > > + return -EPERM;
> > > + }
> > > +
>
> Does all the above makes sense ?
If we agree on CAP_SYS_ADMIN, however, your approach looks cleaner yes.
Powered by blists - more mailing lists