Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07625C433F5 for ; Tue, 16 Nov 2021 00:57:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E0B1061353 for ; Tue, 16 Nov 2021 00:57:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343974AbhKPBAf (ORCPT ); Mon, 15 Nov 2021 20:00:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35700 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343549AbhKOTVT (ORCPT ); Mon, 15 Nov 2021 14:21:19 -0500 Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BFC95C03D78C for ; Mon, 15 Nov 2021 10:17:43 -0800 (PST) Received: by mail-ua1-x92e.google.com with SMTP id i6so36778075uae.6 for ; Mon, 15 Nov 2021 10:17:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+a8ZktNn6ZKD5SR+F36fH6n6kb1h7BS7jd1Wp45NaFM=; b=gKjpO0lLV7NAzCVw+nwCxA8yC44R21WAWD2XjYYi0XvHIj7m390XTLd0lEN5Nn7rcB BuK4C1Cfgw1j9IVR5y4ccOOC9HnZhA9Q9ERm3Q22nj0xyYhHPPZ+IYpHX27qbjUCyDa9 FjBo+0o5USkN9WjUnl/bLBY+ePanR03FsUeaamVOMTsyk1ZuvITwcd6QcOScign6Qmun u7WUTMpODzERw1+OGJLsaUtAupMXVPh3UXvanz5tAdren74UjX5wDmMwtt0tuKXcncWg TUyJQc40cjABQb16NUrbV/xR8FV0L6K9gaV5knCQzF0+juocFBSz2mXCLAEddrjvWuAo 708w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+a8ZktNn6ZKD5SR+F36fH6n6kb1h7BS7jd1Wp45NaFM=; b=PaQTSi//Ad1nx1GpwAZ0Abc9wDpnbbkp/hkUnhl15w250ymAY9e7oeJi0/y9eCuRRT kDJ09kJ8jtWlYaUTX8TNk0+d/bR7BvyJxKXaNopqHDQptzQgJ7TCXDmqKZ5aWGjj2JZk Cy6xAkXXnuxPc+/vdRDc1b+DPYyYUfoe1Rb9q87yJPNf6Leg+LJ6zfCWilchJK/VVme7 T1uA3OWMjVGzBqvV3nRtzJh3bjPqAZHXoA086kYpjB0Kj4jlJDrGf8jk6jhwpckuYGmp aK0s5W7hGklLkKQ5CKas8bfWaSpKiENChzn3XsESPaKUQZ5uT2W9WJi7oWpqftFikJnc x5lQ== X-Gm-Message-State: AOAM530aAU3gKPAbS8+lZy8GSpATQ/vQkIr+LQbIz/W6Ckt0dKEqsa2y SANYS3zuWZUf/+xwrj1cDC8nbhuAZs6rIapgaJAM/g== X-Google-Smtp-Source: ABdhPJya8J9a4P+RjZgEeXSNntVJy86MJNmzIPw9P4CUF+9L+z4wnWDoOasaaQi9RrdEFaJXT3F+c+2vxQUEakzHjTg= X-Received: by 2002:a67:df96:: with SMTP id x22mr46045260vsk.9.1637000262835; Mon, 15 Nov 2021 10:17:42 -0800 (PST) MIME-Version: 1.0 References: <20211115173850.3598768-1-adelva@google.com> <74179f08-3529-7502-db33-2ea18cab3f58@kernel.dk> In-Reply-To: <74179f08-3529-7502-db33-2ea18cab3f58@kernel.dk> From: Alistair Delva Date: Mon, 15 Nov 2021 10:17:30 -0800 Message-ID: Subject: Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT To: Jens Axboe Cc: linux-kernel@vger.kernel.org, Khazhismel Kumykov , Bart Van Assche , Serge Hallyn , Greg Kroah-Hartman , Paul Moore , selinux@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-team@android.com, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 15, 2021 at 10:04 AM Jens Axboe wrote: > > On 11/15/21 10:38 AM, Alistair Delva wrote: > > Booting to Android userspace on 5.14 or newer triggers the following > > SELinux denial: > > > > avc: denied { sys_nice } for comm="init" capability=23 > > scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability > > permissive=0 > > > > Init is PID 0 running as root, so it already has CAP_SYS_ADMIN. For > > better compatibility with older SEPolicy, check ADMIN before NICE. > > Seems a bit wonky to me, but the end result is the same. No argument from me.. > In any case, > this warrants a comment above it detailing why the ordering is > seemingly important. Sent v2. > -- > Jens Axboe >