On Tue, Jul 18, 2023 at 3:24 PM Jeff Moyer <jmoyer@xxxxxxxxxx> wrote: > > Hi, Ondrej, > > Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: > > > The check being unconditional may lead to unwanted denials reported by > > LSMs when a process has the capability granted by DAC, but denied by an > > LSM. In the case of SELinux such denials are a problem, since they can't > > be effectively filtered out via the policy and when not silenced, they > > produce noise that may hide a true problem or an attack. > > > > Since not having the capability merely means that the created io_uring > > context will be accounted against the current user's RLIMIT_MEMLOCK > > limit, we can disable auditing of denials for this check by using > > ns_capable_noaudit() instead of capable(). > > Could you add a comment, or add some documentation to > ns_capable_noaudit() about when it should be used? It wasn't apparent > to me, at least, before this explanation. This has been requested before, so I finally forced myself to look into it and only now I realized that there is a subtle difference between the has_capability and capable helpers. As the docstrings say, the former doesn't set the PF_SUPERPRIV on the task when the check succeeds, while the latter does. The problem is that I don't know what the exact implications are and thus I'm not able to document which helper should be used in what situation... It is possible some of the existing call sites use the wrong helper in the noaudit case (possibly including ones that I added/suggested). The comment at its declaration says "Used super-user privileges" and it seems to be used only to propagate into the ASU flag in task accounting information. But in the case of capability checks that do not fail the syscall it is not easy to tell if "super-user privileges" were "used" or not (or, rather, whether the task should be accounted as such or not after a successful check). If anyone is reading this and has a better understanding of the PF_SUPERPRIV flag semantics, I'd be thankful for a clarification so that we can sort out this mess :) -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
