Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7258488rdb;
        Wed, 3 Jan 2024 09:31:04 -0800 (PST)
X-Google-Smtp-Source: AGHT+IETsMjMrPbdVgaHvsc9wBf6aecka46jPJj7lJ6ht2MFu0Al0q19sZy+kBC/gyWLiPZ3vPED
X-Received: by 2002:a05:622a:1d0:b0:428:1e54:1fc with SMTP id t16-20020a05622a01d000b004281e5401fcmr6600336qtw.54.1704303064354;
        Wed, 03 Jan 2024 09:31:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704303064; cv=none;
        d=google.com; s=arc-20160816;
        b=L19MOQYhqMdb7zf+e0+PM2BxruJem3GKnqCchmZgEcda9S2srEfztqrZpyKM1kH9jw
         zCyigNXXgxgZxYfsTCFjQe1dI4uanA0i8qT/XCPXu9LX+abzBFD93SbkXlNlid36cKsY
         LjP8xmXMh3EC22ScfJyAFxNl6BEL7kb775fuwQl/2IR8qrvHABSlhvFyq6QUFG9T68DB
         /29TbylN7dDSrKgZMdv/AidzlSd2w3pmkzKRwRibiYwKW3YYSVf4LE1QtTSGxSgxRtcR
         P0YPoLwlcEsPJNnekiU6d4jMQsumEhDY4bd0dVhOCJA7QbVxhNWw+ug+u9MnzuszomhE
         SIew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=USdQat260eBLfxQ3g2Q+1HywsmmiJHmKprEB7G5xl2g=;
        fh=XhLjcZVMsojM86O+O20lTP3aEoA5TqZr+lwlPgIoYoM=;
        b=zlZoPXV4SPTdmEhKybFTGITKTdv9iBhCoNnl7u+vyrBPHRL793Ht7iwlVUl5LecuFj
         wymqOTUXYY0MoW933niW/hDjRv8edoOPwMvXyQOmeimAI8JtrQCUse0GzRKgDooJ9C+M
         rSQrtK4C+E9vBF+zKuVFNH3/x2LlDTHhOYrZOmVks6ra/us5aVPd2B13luoPvrnX+5af
         e2qYghU4/AmSiHFf3UbeSfcgwNtRzeZpqh7V79gonSEDuh2HA9mfW0wjvDKi4RbKM8m5
         HeQlMGZX+pefHFDy9GzZtFDQHFhYEcfBQKZ2qpT4tQuv0i0ydgH4CYg0gubthJ9iawcX
         DD4g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mit.edu header.s=outgoing header.b=gUmXCJg7;
       spf=pass (google.com: domain of linux-kernel+bounces-15803-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15803-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Return-Path: <linux-kernel+bounces-15803-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id bp35-20020a05622a1ba300b00427931c3f73si28720196qtb.643.2024.01.03.09.31.04
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Jan 2024 09:31:04 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-15803-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mit.edu header.s=outgoing header.b=gUmXCJg7;
       spf=pass (google.com: domain of linux-kernel+bounces-15803-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15803-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1FDA11C23B97
	for <linux.lists.archive@gmail.com>; Wed,  3 Jan 2024 17:31:04 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1C64A1C2A3;
	Wed,  3 Jan 2024 17:30:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b="gUmXCJg7"
X-Original-To: linux-kernel@vger.kernel.org
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C86561C28C
	for <linux-kernel@vger.kernel.org>; Wed,  3 Jan 2024 17:30:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mit.edu
Received: from cwcc.thunk.org (pool-173-48-116-86.bstnma.fios.verizon.net [173.48.116.86])
	(authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 403HU3DV013800
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 3 Jan 2024 12:30:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
	t=1704303006; bh=USdQat260eBLfxQ3g2Q+1HywsmmiJHmKprEB7G5xl2g=;
	h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
	b=gUmXCJg7WolnfBfOrvsZDcXUwDKyDntyrb7dvFgeRPLyy84y1dP4LdOfKrEjVh3Ov
	 CqoImsyb3prmRUYeBbEC00I/GZzyFgNtxvf4rKH5/I46sqisMYbUuvu3xJOiWdOSR+
	 dajeIDmLbHt3P2dBnKGns95dIl1E/U+3BbmMHvY5HjNk2QZAEOzOoqUIXlVU9CNeiY
	 3ZtKLHQhJvTIhx+0yVZmErrSVKFBdD+puvGN25gVVstLQOfOF69G9SmCIaiz8IJNu6
	 JYS4QRvH0CY6MUiZodldbBsIw4qsUpIOXigHrRsE6CL8kXBkX/vpsSywLMDy3MkEAK
	 6KZBlFPNeWXDg==
Received: by cwcc.thunk.org (Postfix, from userid 15806)
	id EA1F115C17F9; Wed,  3 Jan 2024 12:30:02 -0500 (EST)
Date: Wed, 3 Jan 2024 12:30:02 -0500
From: "Theodore Ts'o" <tytso@mit.edu>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: =?utf-8?B?5a2f5pWs5ae/?= <mengjingzi@iie.ac.cn>, brauner@kernel.org,
        linux-kernel@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: proposal to refine capability checks when _rlimit_overlimit() is
 true
Message-ID: <20240103173002.GB136592@mit.edu>
References: <1a8ed7bd.c96e.18ccd4ee4d1.Coremail.mengjingzi@iie.ac.cn>
 <2024010353-legwarmer-flap-869d@gregkh>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <2024010353-legwarmer-flap-869d@gregkh>

On Wed, Jan 03, 2024 at 07:11:18AM +0100, Greg KH wrote:
> On Wed, Jan 03, 2024 at 11:12:28AM +0800, 孟敬姿 wrote:
> > Hi!
> > 
> > We observed a potential refinement in the kernel/fork.c line 2368.
> > Currently, both CAP_SYS_ADMIN and CAP_SYS_RESOURCE are checked when
> > the limit is over system limit. We suggest considering an adjustment
> > to utilize CAP_SYS_RESOURCE exclusively. Here's our rationale for this
> > suggestion:
> 
> As I said when you proposed changing CAP permissions on the tty ioctls,
> have you tried this and seen what actually breaks by doing so?  Please
> audit the userspace code out there to ensure that what you are
> attempting to propose actually would work, and then, if so, submit a
> patch to do so.  Attempts of "wouldn't it be nice", don't go very far as
> it shows that the work to do so hasn't actually been done.

It's not just a matter of "auditing the userspace code", but how
systems might be set up.  So doing this could very easily cause
various systems to break based on how system administrators might have
set up their system.

What capabilities are used to add appropriate permissions is
fundamentally making a potential user space interface, and so it is
incredibly risky.  So any time we make such changes, we need to make a
very careful cost/benefit analysis.

						- Ted