[PATCH v2 11/11] infiniband: reorder capability check last
Leon Romanovsky
leon at kernel.org
Mon Mar 3 19:04:24 UTC 2025
On Sun, Mar 02, 2025 at 05:06:47PM +0100, Christian Göttsche wrote:
> From: Christian Göttsche <cgzones at googlemail.com>
>
> capable() calls refer to enabled LSMs whether to permit or deny the
> request. This is relevant in connection with SELinux, where a
> capability check results in a policy decision and by default a denial
> message on insufficient permission is issued.
> It can lead to three undesired cases:
> 1. A denial message is generated, even in case the operation was an
> unprivileged one and thus the syscall succeeded, creating noise.
> 2. To avoid the noise from 1. the policy writer adds a rule to ignore
> those denial messages, hiding future syscalls, where the task
> performs an actual privileged operation, leading to hidden limited
> functionality of that task.
> 3. To avoid the noise from 1. the policy writer adds a rule to permit
> the task the requested capability, while it does not need it,
> violating the principle of least privilege.
>
> Signed-off-by: Christian Göttsche <cgzones at googlemail.com>
> Reviewed-by: Serge Hallyn <serge at hallyn.com>
> ---
> drivers/infiniband/hw/mlx5/devx.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
Thanks, applied.
https://web.git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git/commit/?h=wip/leon-for-next&id=3745242ad1e1c07d5990b33764529eb13565db44
More information about the Linux-security-module-archive
mailing list