Commit 0d5ee337 authored by Ondrej Mosnacek's avatar Ondrej Mosnacek Committed by Jan Kara
Browse files

fanotify: avoid/silence premature LSM capability checks 



Make sure calling capable()/ns_capable() actually leads to access denied
when false is returned, because these functions emit an audit record
when a Linux Security Module denies the capability, which makes it
difficult to avoid allowing/silencing unnecessary permissions in
security policies (namely with SELinux).

Where the return value just used to set a flag, use the non-auditing
ns_capable_noaudit() instead.

Fixes: 7cea2a3c ("fanotify: support limited functionality for unprivileged users")
Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
Reviewed-by: default avatarPaul Moore <paul@paul-moore.com>
Reviewed-by: default avatarAmir Goldstein <amir73il@gmail.com>
Link: https://patch.msgid.link/20260216150625.793013-2-omosnace@redhat.com


Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 6a320935

fs/notify/fanotify/fanotify_user.c

+13 −12
Original line number Diff line number Diff line
@@ -1615,17 +1615,18 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags) 
	pr_debug("%s: flags=%x event_f_flags=%x\n",

		 __func__, flags, event_f_flags);



	if (!capable(CAP_SYS_ADMIN)) {

	/*

		 * An unprivileged user can setup an fanotify group with

		 * limited functionality - an unprivileged group is limited to

		 * notification events with file handles or mount ids and it

		 * cannot use unlimited queue/marks.

	 * An unprivileged user can setup an fanotify group with limited

	 * functionality - an unprivileged group is limited to notification

	 * events with file handles or mount ids and it cannot use unlimited

	 * queue/marks.

	 */

		if ((flags & FANOTIFY_ADMIN_INIT_FLAGS) ||

		    !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT)))

	if (((flags & FANOTIFY_ADMIN_INIT_FLAGS) ||

	     !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT))) &&

	    !capable(CAP_SYS_ADMIN))

		return -EPERM;



	if (!ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {

		/*

		 * Setting the internal flag FANOTIFY_UNPRIV on the group

		 * prevents setting mount/filesystem marks on this group and
@@ -1990,8 +1991,8 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask, 
	 * A user is allowed to setup sb/mount/mntns marks only if it is

	 * capable in the user ns where the group was created.

	 */

	if (!ns_capable(group->user_ns, CAP_SYS_ADMIN) &&

	    mark_type != FAN_MARK_INODE)

	if (mark_type != FAN_MARK_INODE &&

	    !ns_capable(group->user_ns, CAP_SYS_ADMIN))

		return -EPERM;



	/*