[PATCH v2 06/11] ubifs: reorder capability check last
Zhihao Cheng
chengzhihao1 at huawei.com
Mon Mar 3 13:49:17 UTC 2025
在 2025/3/3 0:06, Christian Göttsche 写道:
> From: Christian Göttsche <cgzones at googlemail.com>
>
> capable() calls refer to enabled LSMs whether to permit or deny the
> request. This is relevant in connection with SELinux, where a
> capability check results in a policy decision and by default a denial
> message on insufficient permission is issued.
> It can lead to three undesired cases:
> 1. A denial message is generated, even in case the operation was an
> unprivileged one and thus the syscall succeeded, creating noise.
> 2. To avoid the noise from 1. the policy writer adds a rule to ignore
> those denial messages, hiding future syscalls, where the task
> performs an actual privileged operation, leading to hidden limited
> functionality of that task.
> 3. To avoid the noise from 1. the policy writer adds a rule to permit
> the task the requested capability, while it does not need it,
> violating the principle of least privilege.
>
> Signed-off-by: Christian Göttsche <cgzones at googlemail.com>
> Reviewed-by: Serge Hallyn <serge at hallyn.com>
> Acked-by: Richard Weinberger <richard at nod.at>
> ---
> v2: split into two patches for each subsystem
> ---
> fs/ubifs/budget.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Reviewed-by: Zhihao Cheng <chengzhihao1 at huawei.com>
>
> diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c
> index d76eb7b39f56..6137aeadec3f 100644
> --- a/fs/ubifs/budget.c
> +++ b/fs/ubifs/budget.c
> @@ -256,8 +256,9 @@ long long ubifs_calc_available(const struct ubifs_info *c, int min_idx_lebs)
> */
> static int can_use_rp(struct ubifs_info *c)
> {
> - if (uid_eq(current_fsuid(), c->rp_uid) || capable(CAP_SYS_RESOURCE) ||
> - (!gid_eq(c->rp_gid, GLOBAL_ROOT_GID) && in_group_p(c->rp_gid)))
> + if (uid_eq(current_fsuid(), c->rp_uid) ||
> + (!gid_eq(c->rp_gid, GLOBAL_ROOT_GID) && in_group_p(c->rp_gid)) ||
> + capable(CAP_SYS_RESOURCE))
> return 1;
> return 0;
> }
>
More information about the Linux-security-module-archive
mailing list