[PATCH RESEND] xfs: don't generate selinux audit messages for capability testing
Serge E. Hallyn
serge at hallyn.com
Wed Mar 2 14:44:53 UTC 2022
On Tue, Mar 01, 2022 at 07:48:18AM -0800, Darrick J. Wong wrote:
> On Tue, Mar 01, 2022 at 09:10:14AM -0600, Serge E. Hallyn wrote:
> > On Mon, Feb 28, 2022 at 06:50:52PM -0800, Darrick J. Wong wrote:
> > > From: Darrick J. Wong <djwong at kernel.org>
> > >
> > > There are a few places where we test the current process' capability set
> > > to decide if we're going to be more or less generous with resource
> > > acquisition for a system call. If the process doesn't have the
> > > capability, we can continue the call, albeit in a degraded mode.
> > >
> > > These are /not/ the actual security decisions, so it's not proper to use
> > > capable(), which (in certain selinux setups) causes audit messages to
> > > get logged. Switch them to has_capability_noaudit.
> > >
> > > Signed-off-by: Darrick J. Wong <djwong at kernel.org>
> > > Cc: Ondrej Mosnacek <omosnace at redhat.com>
> > > Cc: Dave Chinner <david at fromorbit.com>
> > > ---
> > > fs/xfs/xfs_fsmap.c | 4 ++--
> > > fs/xfs/xfs_ioctl.c | 2 +-
> > > fs/xfs/xfs_iops.c | 2 +-
> > > kernel/capability.c | 1 +
> > > 4 files changed, 5 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
> > > index 48287caad28b..10e1cb71439e 100644
> > > --- a/fs/xfs/xfs_fsmap.c
> > > +++ b/fs/xfs/xfs_fsmap.c
> > > @@ -864,8 +864,8 @@ xfs_getfsmap(
> > > !xfs_getfsmap_is_valid_device(mp, &head->fmh_keys[1]))
> > > return -EINVAL;
> > >
> > > - use_rmap = capable(CAP_SYS_ADMIN) &&
> > > - xfs_has_rmapbt(mp);
> > > + use_rmap = xfs_has_rmapbt(mp) &&
> >
> > Hm, I'm failing to find where xfs_has_rmapbt() is defined. I just
> > wanted to make sure it doesn't have any side effects that you'd want
> > to avoid in the no-capability case. (Seems very unlikely that it
> > would, given the name)
>
> fs/xfs/xfs_mount.h:495:__XFS_HAS_FEAT(rmapbt, RMAPBT)
>
> To expand on that a little -- it's a convenience predicate that tells us
> whether or not the mounted xfs filesystem supports the reverse mapping
> btree feature. The predicate itself has no side effects, of course, so
> the rearranging of the two sides of the && operator so that we do the
> cheaper check first (like this code probably should have done from the
> start).
>
> --D
THank you - looks good then.
Acked-by: Serge Hallyn <serge at hallyn.com>
> >
> > > + has_capability_noaudit(current, CAP_SYS_ADMIN);
> > > head->fmh_entries = 0;
> > >
> > > /* Set up our device handlers. */
> > > diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
> > > index 2515fe8299e1..83481005317a 100644
> > > --- a/fs/xfs/xfs_ioctl.c
> > > +++ b/fs/xfs/xfs_ioctl.c
> > > @@ -1189,7 +1189,7 @@ xfs_ioctl_setattr_get_trans(
> > > goto out_error;
> > >
> > > error = xfs_trans_alloc_ichange(ip, NULL, NULL, pdqp,
> > > - capable(CAP_FOWNER), &tp);
> > > + has_capability_noaudit(current, CAP_FOWNER), &tp);
> > > if (error)
> > > goto out_error;
> > >
> > > diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
> > > index b79b3846e71b..a65217f787cf 100644
> > > --- a/fs/xfs/xfs_iops.c
> > > +++ b/fs/xfs/xfs_iops.c
> > > @@ -723,7 +723,7 @@ xfs_setattr_nonsize(
> > > }
> > >
> > > error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> > > - capable(CAP_FOWNER), &tp);
> > > + has_capability_noaudit(current, CAP_FOWNER), &tp);
> > > if (error)
> > > goto out_dqrele;
> > >
> > > diff --git a/kernel/capability.c b/kernel/capability.c
> > > index 46a361dde042..765194f5d678 100644
> > > --- a/kernel/capability.c
> > > +++ b/kernel/capability.c
> > > @@ -360,6 +360,7 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
> > > {
> > > return has_ns_capability_noaudit(t, &init_user_ns, cap);
> > > }
> > > +EXPORT_SYMBOL(has_capability_noaudit);
> > >
> > > static bool ns_capable_common(struct user_namespace *ns,
> > > int cap,
More information about the Linux-security-module-archive
mailing list