[PATCH RESEND] xfs: don't generate selinux audit messages for capability testing

Darrick J. Wong djwong at kernel.org
Tue Mar 1 15:48:18 UTC 2022


On Tue, Mar 01, 2022 at 09:10:14AM -0600, Serge E. Hallyn wrote:
> On Mon, Feb 28, 2022 at 06:50:52PM -0800, Darrick J. Wong wrote:
> > From: Darrick J. Wong <djwong at kernel.org>
> > 
> > There are a few places where we test the current process' capability set
> > to decide if we're going to be more or less generous with resource
> > acquisition for a system call.  If the process doesn't have the
> > capability, we can continue the call, albeit in a degraded mode.
> > 
> > These are /not/ the actual security decisions, so it's not proper to use
> > capable(), which (in certain selinux setups) causes audit messages to
> > get logged.  Switch them to has_capability_noaudit.
> > 
> > Signed-off-by: Darrick J. Wong <djwong at kernel.org>
> > Cc: Ondrej Mosnacek <omosnace at redhat.com>
> > Cc: Dave Chinner <david at fromorbit.com>
> > ---
> >  fs/xfs/xfs_fsmap.c  |    4 ++--
> >  fs/xfs/xfs_ioctl.c  |    2 +-
> >  fs/xfs/xfs_iops.c   |    2 +-
> >  kernel/capability.c |    1 +
> >  4 files changed, 5 insertions(+), 4 deletions(-)
> > 
> > diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
> > index 48287caad28b..10e1cb71439e 100644
> > --- a/fs/xfs/xfs_fsmap.c
> > +++ b/fs/xfs/xfs_fsmap.c
> > @@ -864,8 +864,8 @@ xfs_getfsmap(
> >  	    !xfs_getfsmap_is_valid_device(mp, &head->fmh_keys[1]))
> >  		return -EINVAL;
> >  
> > -	use_rmap = capable(CAP_SYS_ADMIN) &&
> > -		   xfs_has_rmapbt(mp);
> > +	use_rmap = xfs_has_rmapbt(mp) &&
> 
> Hm, I'm failing to find where xfs_has_rmapbt() is defined.  I just
> wanted to make sure it doesn't have any side effects that you'd want
> to avoid in the no-capability case.  (Seems very unlikely that it
> would, given the name)

fs/xfs/xfs_mount.h:495:__XFS_HAS_FEAT(rmapbt, RMAPBT)

To expand on that a little -- it's a convenience predicate that tells us
whether or not the mounted xfs filesystem supports the reverse mapping
btree feature.  The predicate itself has no side effects, of course, so
the rearranging of the two sides of the && operator so that we do the
cheaper check first (like this code probably should have done from the
start).

--D

> 
> > +		   has_capability_noaudit(current, CAP_SYS_ADMIN);
> >  	head->fmh_entries = 0;
> >  
> >  	/* Set up our device handlers. */
> > diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
> > index 2515fe8299e1..83481005317a 100644
> > --- a/fs/xfs/xfs_ioctl.c
> > +++ b/fs/xfs/xfs_ioctl.c
> > @@ -1189,7 +1189,7 @@ xfs_ioctl_setattr_get_trans(
> >  		goto out_error;
> >  
> >  	error = xfs_trans_alloc_ichange(ip, NULL, NULL, pdqp,
> > -			capable(CAP_FOWNER), &tp);
> > +			has_capability_noaudit(current, CAP_FOWNER), &tp);
> >  	if (error)
> >  		goto out_error;
> >  
> > diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
> > index b79b3846e71b..a65217f787cf 100644
> > --- a/fs/xfs/xfs_iops.c
> > +++ b/fs/xfs/xfs_iops.c
> > @@ -723,7 +723,7 @@ xfs_setattr_nonsize(
> >  	}
> >  
> >  	error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> > -			capable(CAP_FOWNER), &tp);
> > +			has_capability_noaudit(current, CAP_FOWNER), &tp);
> >  	if (error)
> >  		goto out_dqrele;
> >  
> > diff --git a/kernel/capability.c b/kernel/capability.c
> > index 46a361dde042..765194f5d678 100644
> > --- a/kernel/capability.c
> > +++ b/kernel/capability.c
> > @@ -360,6 +360,7 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
> >  {
> >  	return has_ns_capability_noaudit(t, &init_user_ns, cap);
> >  }
> > +EXPORT_SYMBOL(has_capability_noaudit);
> >  
> >  static bool ns_capable_common(struct user_namespace *ns,
> >  			      int cap,



More information about the Linux-security-module-archive mailing list