tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fanotify: avoid/silence premature LSM capability checks

Make sure calling capable()/ns_capable() actually leads to access denied
when false is returned, because these functions emit an audit record
when a Linux Security Module denies the capability, which makes it
difficult to avoid allowing/silencing unnecessary permissions in
security policies (namely with SELinux).

Where the return value just used to set a flag, use the non-auditing
ns_capable_noaudit() instead.

Fixes: 7cea2a3c505e ("fanotify: support limited functionality for unprivileged users")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Link: https://patch.msgid.link/20260216150625.793013-2-omosnace@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>

authored by

Ondrej Mosnacek and committed by
Jan Kara 0d5ee337 6a320935

+13 -12
+13 -12
fs/notify/fanotify/fanotify_user.c
··· 1615 1615 pr_debug("%s: flags=%x event_f_flags=%x\n", 1616 1616 __func__, flags, event_f_flags); 1617 1617 1618 - if (!capable(CAP_SYS_ADMIN)) { 1619 - /* 1620 - * An unprivileged user can setup an fanotify group with 1621 - * limited functionality - an unprivileged group is limited to 1622 - * notification events with file handles or mount ids and it 1623 - * cannot use unlimited queue/marks. 1624 - */ 1625 - if ((flags & FANOTIFY_ADMIN_INIT_FLAGS) || 1626 - !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT))) 1627 - return -EPERM; 1618 + /* 1619 + * An unprivileged user can setup an fanotify group with limited 1620 + * functionality - an unprivileged group is limited to notification 1621 + * events with file handles or mount ids and it cannot use unlimited 1622 + * queue/marks. 1623 + */ 1624 + if (((flags & FANOTIFY_ADMIN_INIT_FLAGS) || 1625 + !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT))) && 1626 + !capable(CAP_SYS_ADMIN)) 1627 + return -EPERM; 1628 1628 1629 + if (!ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) { 1629 1630 /* 1630 1631 * Setting the internal flag FANOTIFY_UNPRIV on the group 1631 1632 * prevents setting mount/filesystem marks on this group and ··· 1991 1990 * A user is allowed to setup sb/mount/mntns marks only if it is 1992 1991 * capable in the user ns where the group was created. 1993 1992 */ 1994 - if (!ns_capable(group->user_ns, CAP_SYS_ADMIN) && 1995 - mark_type != FAN_MARK_INODE) 1993 + if (mark_type != FAN_MARK_INODE && 1994 + !ns_capable(group->user_ns, CAP_SYS_ADMIN)) 1996 1995 return -EPERM; 1997 1996 1998 1997 /*