On Tue, Jan 12, 2016 at 01:19:00AM +0900, Tetsuo Handa wrote:
> Willy Tarreau wrote:
> > @@ -1066,7 +1094,8 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
> > if (!nr_pages)
> > goto out;
> >
> > - if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
> > + if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN) &&
> > + (size > pipe_max_size || too_many_pipe_buffers(pipe->user))) {
> > ret = -EPERM;
> > goto out;
> > }
>
> I think we should not check capable(CAP_SYS_ADMIN) for size > pipe_max_size
> case, for checking capable(CAP_SYS_ADMIN) needlessly generates audit logs and
> also loosens permission required for setting size > pipe_max_size.
>
> Also, I think we should not check capable(CAP_SYS_ADMIN) unless
> too_many_pipe_buffers(pipe->user) is true, for checking capable(CAP_SYS_ADMIN)
> needlessly generates audit logs.
>
> Since too_many_unix_fds() requires capable(CAP_SYS_ADMIN) || capable(CAP_SYS_ADMIN),
> I think what we want is something like below?
>
> if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
> ret = -EPERM;
> goto out;
> } else if (too_many_pipe_buffers(pipe->user) &&
> !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
> ret = -EPERM;
> goto out;
> }
OK that works for me. Do you have an opinion regarding my other proposal of
soft vs hard limit ?
Thanks,
Willy
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
