On Sun 02-03-25 17:06:39, Christian Göttsche wrote:
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> capable() calls refer to enabled LSMs whether to permit or deny the
> request. This is relevant in connection with SELinux, where a
> capability check results in a policy decision and by default a denial
> message on insufficient permission is issued.
> It can lead to three undesired cases:
> 1. A denial message is generated, even in case the operation was an
> unprivileged one and thus the syscall succeeded, creating noise.
> 2. To avoid the noise from 1. the policy writer adds a rule to ignore
> those denial messages, hiding future syscalls, where the task
> performs an actual privileged operation, leading to hidden limited
> functionality of that task.
> 3. To avoid the noise from 1. the policy writer adds a rule to permit
> the task the requested capability, while it does not need it,
> violating the principle of least privilege.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <jack@xxxxxxx>
Honza
> ---
> fs/ext4/balloc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
> index 8042ad873808..c48fd36b2d74 100644
> --- a/fs/ext4/balloc.c
> +++ b/fs/ext4/balloc.c
> @@ -649,8 +649,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
> /* Hm, nope. Are (enough) root reserved clusters available? */
> if (uid_eq(sbi->s_resuid, current_fsuid()) ||
> (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) && in_group_p(sbi->s_resgid)) ||
> - capable(CAP_SYS_RESOURCE) ||
> - (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
> + (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
> + capable(CAP_SYS_RESOURCE)) {
>
> if (free_clusters >= (nclusters + dirty_clusters +
> resv_clusters))
> --
> 2.47.2
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
