Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C3FEC433F5 for ; Tue, 16 Nov 2021 00:26:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EEB2B619E8 for ; Tue, 16 Nov 2021 00:26:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349529AbhKPA3Z (ORCPT ); Mon, 15 Nov 2021 19:29:25 -0500 Received: from mail.kernel.org ([198.145.29.99]:53276 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346558AbhKOTed (ORCPT ); Mon, 15 Nov 2021 14:34:33 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id F299260184; Mon, 15 Nov 2021 19:31:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1637004678; bh=/5EFFGdANEQuECDTL8tXYsI+5VlfFp0wPsn+etL4mt8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=GTfUJFO+Km6M3nMLM0Q6pu4UUwMDf90PsdZfHB7eEX8//eSp38IcshkynffZOQ/dY yrnm1q62f6FbGqnE/i3hQvsoiFkU/pEmw1Ae1Q+VB2LwMiNEL3CZxgyxxhcabkKbt5 rJO+G8EVxMkBrxdq99EYk6XmVNu9zxYM8gm1OsQs= Date: Mon, 15 Nov 2021 20:31:15 +0100 From: Greg Kroah-Hartman To: Ondrej Mosnacek Cc: Alistair Delva , Linux kernel mailing list , Khazhismel Kumykov , Bart Van Assche , Serge Hallyn , Jens Axboe , Paul Moore , SElinux list , Linux Security Module list , "Cc: Android Kernel" , Linux Stable maillist Subject: Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT Message-ID: References: <20211115173850.3598768-1-adelva@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 15, 2021 at 08:04:05PM +0100, Ondrej Mosnacek wrote: > On Mon, Nov 15, 2021 at 7:14 PM Alistair Delva wrote: > > Booting to Android userspace on 5.14 or newer triggers the following > > SELinux denial: > > > > avc: denied { sys_nice } for comm="init" capability=23 > > scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability > > permissive=0 > > > > Init is PID 0 running as root, so it already has CAP_SYS_ADMIN. For > > better compatibility with older SEPolicy, check ADMIN before NICE. > > But with this patch you in turn punish the new/better policies that > try to avoid giving domains CAP_SYS_ADMIN unless necessary (using only > the more granular capabilities wherever possible), which may now get a > bogus sys_admin denial. IMHO the order is better as it is, as it > motivates the "good" policy writing behavior - i.e. spelling out the > capability permissions more explicitly and avoiding CAP_SYS_ADMIN. > > IOW, if you domain does CAP_SYS_NICE things, and you didn't explicitly > grant it that (and instead rely on the CAP_SYS_ADMIN fallback), then > the denial correctly flags it as an issue in your policy and > encourages you to add that sys_nice permission to the domain. Then > when one beautiful hypothetical day the CAP_SYS_ADMIN fallback is > removed, your policy will be ready for that and things will keep > working. > > Feel free to carry that patch downstream if patching the kernel is > easier for you than fixing the policy, but for the upstream kernel > this is just a step in the wrong direction. So you want to "punish" existing systems by throwing up a warning where there used to not be one? That is not nice, you need to handle upgrading kernels without breaking or causing problems like this. Yes, SELinux has done this in the past, with many different things, but that does not mean that it _should_ do this. Please realize that you do not want to punish people from upgrading their kernel to a newer version. If you do so, they will never upgrade. thanks, greg k-h