On Sat, Oct 21, 2017 at 6:28 AM, Nicolas Belouin <nicolas@xxxxxxxxxx> wrote: > In its current implementation the check is against CAP_SYS_ADMIN, > however this capability is bloated and inapropriate for this use. > Indeed the check aims to avoid dedupe against non writable files, > falling directly in the use case of CAP_DAC_OVERRIDE. > > Signed-off-by: Nicolas Belouin <nicolas@xxxxxxxxxx> > --- > fs/read_write.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/read_write.c b/fs/read_write.c > index f0d4b16873e8..43cc7e84e29e 100644 > --- a/fs/read_write.c > +++ b/fs/read_write.c > @@ -1965,7 +1965,7 @@ int vfs_dedupe_file_range(struct file *file, struct file_dedupe_range *same) > u64 len; > int i; > int ret; > - bool is_admin = capable(CAP_SYS_ADMIN); > + bool is_admin = capable(CAP_SYS_ADMIN) || capable(CAP_DAC_OVERRIDE); Can you please reverse the order of the checks? In particular, on an SELinux based system, a capable() call generates an SELinux denial, and people often instinctively allow the first operation performed. Reordering the elements will ensure that the CAP_DAC_OVERRIDE denial (least permissive) is generated first. > u16 count = same->dest_count; > struct file *dst_file; > loff_t dst_off; > -- > 2.14.2 > -- Nick Kralevich | Android Security | nnk@xxxxxxxxxx | 650.214.4037
