Skip to content

Commit 94c4b4f

Browse files
adelva1984axboe
authored andcommitted
block: Check ADMIN before NICE for IOPRIO_CLASS_RT
Booting to Android userspace on 5.14 or newer triggers the following SELinux denial: avc: denied { sys_nice } for comm="init" capability=23 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=0 Init is PID 0 running as root, so it already has CAP_SYS_ADMIN. For better compatibility with older SEPolicy, check ADMIN before NICE. Fixes: 9d3a39a ("block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE") Signed-off-by: Alistair Delva <[email protected]> Cc: Khazhismel Kumykov <[email protected]> Cc: Bart Van Assche <[email protected]> Cc: Serge Hallyn <[email protected]> Cc: Jens Axboe <[email protected]> Cc: Greg Kroah-Hartman <[email protected]> Cc: Paul Moore <[email protected]> Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] # v5.14+ Reviewed-by: Bart Van Assche <[email protected]> Acked-by: Serge Hallyn <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe <[email protected]>
1 parent fa55b7d commit 94c4b4f

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

block/ioprio.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,14 @@ int ioprio_check_cap(int ioprio)
6969

7070
switch (class) {
7171
case IOPRIO_CLASS_RT:
72-
if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN))
72+
/*
73+
* Originally this only checked for CAP_SYS_ADMIN,
74+
* which was implicitly allowed for pid 0 by security
75+
* modules such as SELinux. Make sure we check
76+
* CAP_SYS_ADMIN first to avoid a denial/avc for
77+
* possibly missing CAP_SYS_NICE permission.
78+
*/
79+
if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE))
7380
return -EPERM;
7481
fallthrough;
7582
/* rt has prio field too */

0 commit comments

Comments
 (0)