Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp3247546imj;
        Mon, 11 Feb 2019 17:04:13 -0800 (PST)
X-Google-Smtp-Source: AHgI3IZ1Iyr9xAb/v3FuwpxSQE1LBnmEdwWHly1fg59d2xgV6i2SF2prZnGIGksYVWbd8wppH+Af
X-Received: by 2002:a63:c946:: with SMTP id y6mr1094721pgg.109.1549933453750;
        Mon, 11 Feb 2019 17:04:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549933453; cv=none;
        d=google.com; s=arc-20160816;
        b=b8M/weB+iONhV5tss04jCVCdCVmxdFrnJH1sS5Q9DutJioNNZG8H/bJg74f3Mrxww2
         f7ovY4ZUFO2rMvv347MD+B3sgUr6/81BCat56phVFqU+8Qh1m27cma8CcTKh8Fq2q6qU
         OfifhMxWwGgeSJCv0Yw7u3iY2aePvROt4FhBbW5yqOKAGWgavP75sIdWBmeACvHEDUuy
         yKui8n4fPlxy/LF8MicfVHc98ORIqDTYwZfYYQ5q4VM1BlA1C2nz6uO4CSj+UOD16ha4
         LMtWZMQFiSzE0FUO0JZ6KCKA3G66Ap5EvKyv3dbr65mh2kvEkduS2KxlL3sCJa9GExyC
         rJWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:mime-version:user-agent
         :message-id:in-reply-to:date:references:cc:to:from;
        bh=QRvSkKfA0Mf9brHbXWqhojP9jKGAXHwsva8Drzl4sXk=;
        b=IGMSLFX3yN+xkkDdAbpovDo6tzomPkh6dLTrfA++7UCwDDFNDjc0uVSEp3cuQ22Fq6
         Vu4S/8jzaG0K4fbeS11mdhrgL80+cc3rW75tXvhVzB9R0itKr6TgewLs4u7IvyMICJM6
         J/h8BBZ82MsPD0Gb77lFC+TYAqNjZyuZjAHNCGZpKtrs4ZGzIXNiRMoI5utemsrAEFIs
         CnW2FbGks99z5jnUCv8n/pXq2FcKPRKGh1bQ0Q8qZNyqvDXnlIBfajM3vD4Cr9wScouR
         V7TATZQ6i6sNnOToMONnIe3Wj0amc6VsQLzRvOVyUfK759QLG4sTEgIvuLLQm3NCgwkp
         mzuw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t16si10831224pgl.63.2019.02.11.17.03.57;
        Mon, 11 Feb 2019 17:04:13 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727988AbfBLBC0 (ORCPT <rfc822;testajctc@gmail.com> + 99 others);
        Mon, 11 Feb 2019 20:02:26 -0500
Received: from out01.mta.xmission.com ([166.70.13.231]:55881 "EHLO
        out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727890AbfBLBCZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Feb 2019 20:02:25 -0500
Received: from in02.mta.xmission.com ([166.70.13.52])
        by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gtMSs-0007Sg-Pn; Mon, 11 Feb 2019 18:02:22 -0700
Received: from ip68-227-174-240.om.om.cox.net ([68.227.174.240] helo=x220.xmission.com)
        by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gtMSh-0005SX-Nm; Mon, 11 Feb 2019 18:02:22 -0700
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        Benjamin Gordon <bmgordon@google.com>,
        John Stultz <john.stultz@linaro.org>,
        Kees Cook <keescook@chromium.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Oren Laadan <orenl@cellrox.com>,
        Ruchi Kandoi <kandoiruchi@google.com>,
        Rom Lemarchand <romlem@android.com>,
        Todd Kjos <tkjos@google.com>, Colin Cross <ccross@android.com>,
        Nick Kralevich <nnk@google.com>,
        Dmitry Shmidt <dimitrysh@google.com>,
        Elliott Hughes <enh@google.com>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <sashal@kernel.org>
References: <20190211141846.543045703@linuxfoundation.org>
        <20190211141904.885459037@linuxfoundation.org>
Date:   Mon, 11 Feb 2019 19:02:06 -0600
In-Reply-To: <20190211141904.885459037@linuxfoundation.org> (Greg
        Kroah-Hartman's message of "Mon, 11 Feb 2019 15:18:29 +0100")
Message-ID: <87tvh9es4x.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1gtMSh-0005SX-Nm;;;mid=<87tvh9es4x.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=68.227.174.240;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX184pEWpyPE07UBzc04qKB3dbVw1qNDY/LI=
X-SA-Exim-Connect-IP: 68.227.174.240
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa03.xmission.com
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=8.0 tests=ALL_TRUSTED,BAYES_50,
        DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,
        T_TooManySym_02,XMNoVowels,XMSubLong autolearn=disabled version=3.4.2
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        *  0.7 XMSubLong Long Subject
        *  1.5 XMNoVowels Alpha-numberic number with no vowels
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa03 0; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
        *  0.0 T_TooManySym_02 5+ unique symbols in subject
X-Spam-DCC: ; sa03 0; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;Greg Kroah-Hartman <gregkh@linuxfoundation.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 10577 ms - load_scoreonly_sql: 0.04 (0.0%),
        signal_user_changed: 4.5 (0.0%), b_tie_ro: 3.6 (0.0%), parse: 1.12
        (0.0%), extract_message_metadata: 36 (0.3%), get_uri_detail_list: 3.8
        (0.0%), tests_pri_-1000: 56 (0.5%), tests_pri_-950: 1.14 (0.0%),
        tests_pri_-900: 0.98 (0.0%), tests_pri_-90: 31 (0.3%), check_bayes: 30
        (0.3%), b_tokenize: 10 (0.1%), b_tok_get_all: 10 (0.1%), b_comp_prob:
        2.3 (0.0%), b_tok_touch_all: 5 (0.0%), b_finish: 0.57 (0.0%),
        tests_pri_0: 2850 (26.9%), check_dkim_signature: 0.41 (0.0%),
        check_dkim_adsp: 2483 (23.5%), poll_dns_idle: 10034 (94.9%),
        tests_pri_10: 1.65 (0.0%), tests_pri_500: 7592 (71.8%), rewrite_mail:
        0.00 (0.0%)
Subject: Re: [PATCH 4.20 282/352] fs/proc/base.c: use ns_capable instead of capable for timerslack_ns
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:

> 4.20-stable review patch.  If anyone has any objections, please let me
> know.

No objection.  But I think of this as a feature addition rather than a
fix for something.  As a feature that we now allow something we
previously did not does this qualify for a backport to stable?

It is probably no more harmful in this instance than adding PCI IDs to a
driver.  So I am not worried.  I am curious the current guidelines
are.

In most cases a small relaxation of permissions like this requires a lot
of bug fixing as typically code protected by capable(CAP_XXX) has been
written and tested assuming a trusted root user.  Those bug fixes are
many times too large for a stable backport.

Eric


> ------------------
>
> [ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ]
>
> Access to timerslack_ns is controlled by a process having CAP_SYS_NICE
> in its effective capability set, but the current check looks in the root
> namespace instead of the process' user namespace.  Since a process is
> allowed to do other activities controlled by CAP_SYS_NICE inside a
> namespace, it should also be able to adjust timerslack_ns.
>
> Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com
> Signed-off-by: Benjamin Gordon <bmgordon@google.com>
> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: John Stultz <john.stultz@linaro.org>
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Arjan van de Ven <arjan@linux.intel.com>
> Cc: Oren Laadan <orenl@cellrox.com>
> Cc: Ruchi Kandoi <kandoiruchi@google.com>
> Cc: Rom Lemarchand <romlem@android.com>
> Cc: Todd Kjos <tkjos@google.com>
> Cc: Colin Cross <ccross@android.com>
> Cc: Nick Kralevich <nnk@google.com>
> Cc: Dmitry Shmidt <dimitrysh@google.com>
> Cc: Elliott Hughes <enh@google.com>
> Cc: Alexey Dobriyan <adobriyan@gmail.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  fs/proc/base.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index ce3465479447..98525af0953e 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2356,10 +2356,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf,
>  		return -ESRCH;
>  
>  	if (p != current) {
> -		if (!capable(CAP_SYS_NICE)) {
> +		rcu_read_lock();
> +		if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) {
> +			rcu_read_unlock();
>  			count = -EPERM;
>  			goto out;
>  		}
> +		rcu_read_unlock();
>  
>  		err = security_task_setscheduler(p);
>  		if (err) {
> @@ -2392,11 +2395,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v)
>  		return -ESRCH;
>  
>  	if (p != current) {
> -
> -		if (!capable(CAP_SYS_NICE)) {
> +		rcu_read_lock();
> +		if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) {
> +			rcu_read_unlock();
>  			err = -EPERM;
>  			goto out;
>  		}
> +		rcu_read_unlock();
> +
>  		err = security_task_getscheduler(p);
>  		if (err)
>  			goto out;