Re: [PATCH] block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE

From: Khazhismel Kumykov <hidden>
Date: 2020-08-24 20:48:21
Also in: linux-security-module, lkml

On Mon, Aug 24, 2020 at 1:45 PM Khazhismel Kumykov [off-list ref] wrote:

quoted hunk ↗ jump to hunk

CAP_SYS_ADMIN is too broad, and ionice fits into CAP_SYS_NICE's grouping.

Retain CAP_SYS_ADMIN permission for backwards compatibility.

Signed-off-by: Khazhismel Kumykov <redacted>
---
 block/ioprio.c                  | 2 +-
 include/uapi/linux/capability.h | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/ioprio.c b/block/ioprio.c
index 77bcab11dce5..4572456430f9 100644
--- a/block/ioprio.c
+++ b/block/ioprio.c

@@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio)

        switch (class) {
                case IOPRIO_CLASS_RT:
-                       if (!capable(CAP_SYS_ADMIN))
+                       if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_NICE))

yikes, sorry for the spam

quoted hunk ↗ jump to hunk

                                return -EPERM;
                        /* fall through */
                        /* rt has prio field too */

diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 395dd0df8d08..c6ca33034147 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h

@@ -288,6 +288,8 @@ struct vfs_ns_cap_data {
    processes and setting the scheduling algorithm used by another
    process. */
 /* Allow setting cpu affinity on other processes */
+/* Allow setting realtime ioprio class */
+/* Allow setting ioprio class on other processes */

 #define CAP_SYS_NICE         23

--

2.28.0.297.g1956fa8f8d-goog

Attachments

smime.p7s [application/pkcs7-signature] 3850 bytes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help