From patchwork Thu Jul 14 18:50:44 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Stultz X-Patchwork-Id: 72047 Delivered-To: patches@linaro.org Received: by 10.140.29.52 with SMTP id a49csp223726qga; Thu, 14 Jul 2016 11:50:52 -0700 (PDT) X-Received: by 10.98.34.151 with SMTP id p23mr14940599pfj.102.1468522252567; Thu, 14 Jul 2016 11:50:52 -0700 (PDT) Return-Path: Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com. [2607:f8b0:400e:c00::22b]) by mx.google.com with ESMTPS id z21si2573162pfj.116.2016.07.14.11.50.52 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Jul 2016 11:50:52 -0700 (PDT) Received-SPF: pass (google.com: domain of john.stultz@linaro.org designates 2607:f8b0:400e:c00::22b as permitted sender) client-ip=2607:f8b0:400e:c00::22b; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: domain of john.stultz@linaro.org designates 2607:f8b0:400e:c00::22b as permitted sender) smtp.mailfrom=john.stultz@linaro.org; dmarc=pass (p=NONE dis=NONE) header.from=linaro.org Received: by mail-pf0-x22b.google.com with SMTP id t190so32556262pfb.3 for ; Thu, 14 Jul 2016 11:50:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=s5wxAxBQSkKU6IHdv+h0U/7W5MoOU8XMGxzfxyauAJI=; b=ExGWSiUgg4f0BA8M6ZUS7RXyuvAOX7Uxl6/UCxOX9o4xRmMRoI9I6749qVHLz3CjNX 8rFHCVtqOtlcFMVhbrPgBoezs8KixSSwImYC2+RMVM2bxfwsYrkRAmONNBa+lf3EH/aG WxzBlQHhDW5+hO8RHzh1nXXaH0fTy0p3ymDu8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=s5wxAxBQSkKU6IHdv+h0U/7W5MoOU8XMGxzfxyauAJI=; b=AU1GeAYrSx8TSQb+FgQQns27CDy2iXyPzTZOQyKcfJvon+Yd9hTPLc7+Ia2VIW70TE MBgjcuYI2yBbgH16MXaRiw95WSIyECtBBKHi3k6oU8nGqlIw0ny2HBCVpIQVFI573455 7WkOoNrY3YWk5kXt6j96xUy0urQ7vCjHn+e9z8zkx0jIo0cepAODEbW1HdVbkL6uptBl MMj8PNrrRHg4rTIQdokDzEtMwhTd3v3FRKqJBLdrLJUzCKCBYYylzq5ras6YaMWFg+uv Bqlh/rqN/XhuouQvq5zubi30mzVD5c7musLeD2BJTsXIpowzyBa1ZCXmzLpHjWVbsJMY jRXw== X-Gm-Message-State: ALyK8tIBSTbckSt2Nzgw8PuvWJBheD5rDr8YcTlBj1xcOGwYGqLU9MaKT3gjVnIWN8ooFgUnRrA= X-Received: by 10.98.65.139 with SMTP id g11mr14926140pfd.140.1468522252213; Thu, 14 Jul 2016 11:50:52 -0700 (PDT) Return-Path: Received: from localhost.localdomain (c-73-67-244-238.hsd1.or.comcast.net. [73.67.244.238]) by smtp.gmail.com with ESMTPSA id q26sm1377750pfj.53.2016.07.14.11.50.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 14 Jul 2016 11:50:51 -0700 (PDT) From: John Stultz To: lkml Cc: John Stultz , Kees Cook , "Serge E. Hallyn" , Andrew Morton , Thomas Gleixner , Arjan van de Ven , Oren Laadan , Ruchi Kandoi , Rom Lemarchand , Todd Kjos , Colin Cross , Nick Kralevich , Dmitry Shmidt , Elliott Hughes , Android Kernel Team Subject: [RFC][PATCH] proc: Relax /proc//timerslack_ns capability requirements Date: Thu, 14 Jul 2016 11:50:44 -0700 Message-Id: <1468522244-28297-1-git-send-email-john.stultz@linaro.org> X-Mailer: git-send-email 1.9.1 When an interface to allow a task to change another tasks timerslack was first proposed, it was suggested that something greater then CAP_SYS_NICE would be needed, as a task could be delayed further then what normally could be done with nice adjustments. So CAP_SYS_PTRACE was adopted instead for what became the /proc//timerslack_ns interface. However, for Android (where this feature originates), giving the system_server CAP_SYS_PTRACE would allow it to observe and modify all tasks memory. This is considered too high a privilege level for only needing to change the timerslack. After some discussion, it was realized that a CAP_SYS_NICE process can set a task as SCHED_FIFO, so they could fork some spinning processes and set them all SCHED_FIFO 99, in effect delaying all other tasks for an infinite amount of time. So as a CAP_SYS_NICE task can already cause trouble for other tasks, using it as a required capability for accessing and modifying /proc//timerslack_ns seems sufficient. Thus, this patch loosens the capability requirements to CAP_SYS_NICE. For ABI preservation, it still allows CAP_SYS_PTRACE tasks to access/modify timerslack values, but I'm fine with removing this if others agree. Cc: Kees Cook Cc: "Serge E. Hallyn" Cc: Andrew Morton Cc: Thomas Gleixner CC: Arjan van de Ven Cc: Oren Laadan Cc: Ruchi Kandoi Cc: Rom Lemarchand Cc: Todd Kjos Cc: Colin Cross Cc: Nick Kralevich Cc: Dmitry Shmidt Cc: Elliott Hughes Cc: Android Kernel Team Signed-off-by: John Stultz --- fs/proc/base.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 1.9.1 diff --git a/fs/proc/base.c b/fs/proc/base.c index a11eb71..d32033e 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2281,7 +2281,8 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, if (!p) return -ESRCH; - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { + if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS) || + capable(CAP_SYS_NICE)) { task_lock(p); if (slack_ns == 0) p->timer_slack_ns = p->default_timer_slack_ns; @@ -2306,7 +2307,8 @@ static int timerslack_ns_show(struct seq_file *m, void *v) if (!p) return -ESRCH; - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { + if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS) || + capable(CAP_SYS_NICE)) { task_lock(p); seq_printf(m, "%llu\n", p->timer_slack_ns); task_unlock(p);