Re: [PATCH] Sanitize set_task_ioprio() permission checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9/4/25 12:13 PM, Chen Yufeng wrote:
> A patch similar to commit 197e7e521384("Sanitize 'move_pages()' permission 
> checks").
> 
> The set_task_ioprio function is responsible for setting the IO priority of a 
> specified process. The current implementation only checks if the target 
> process's uid matches the calling process's euid/uid, or if the caller has the 
> CAP_SYS_NICE capability. This permission check is too permissive and allows a 
> user to modify the IO priority of other processes with the same uid, including 
> privileged or system processes.
> 
> Local users can affect the IO scheduling of other processes with the same 
> uid, including suid binaries and system services, potentially causing denial 
> of service (DoS) or performance degradation.
> 
> So change the access checks to the more common 'ptrace_may_access()'
> model instead.
> 
> Signed-off-by: Chen Yufeng <chenyufeng@xxxxxxxxx>
> ---
>  block/blk-ioc.c | 5 +----
>  1 file changed, 1 insertion(+), 4 deletions(-)
> 
> diff --git a/block/blk-ioc.c b/block/blk-ioc.c
> index 9fda3906e5f5..bd3e556809c5 100644
> --- a/block/blk-ioc.c
> +++ b/block/blk-ioc.c
> @@ -244,12 +244,9 @@ static struct io_context *alloc_io_context(gfp_t gfp_flags, int node)
>  int set_task_ioprio(struct task_struct *task, int ioprio)
>  {
>  	int err;
> -	const struct cred *cred = current_cred(), *tcred;
>  
>  	rcu_read_lock();
> -	tcred = __task_cred(task);
> -	if (!uid_eq(tcred->uid, cred->euid) &&
> -	    !uid_eq(tcred->uid, cred->uid) && !capable(CAP_SYS_NICE)) {
> +	if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {

The description of commit 197e7e521384 explicitely mentions that changing the
CAP_SYS_NICE check for that system call into CAP_SYS_PTRACE should be OK
because hardly anyone use that system call.

I do not think that the same can be said of the nice() and ioprio_set() system
calls. So dropping the capable(CAP_SYS_NICE) check seems wrong, unless you can
actually justify that it is safe ?

Lots of production systems out there use IO priority. We do not want these to
suddenly stop working because of a permission denied.

>  		rcu_read_unlock();
>  		return -EPERM;
>  	}


-- 
Damien Le Moal
Western Digital Research
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux