Re: [RFC PATCH] sched: only issue an audit on privileged operation

From: Ondrej Mosnacek
Date: Tue Sep 08 2020 - 07:35:11 EST

On Tue, Sep 8, 2020 at 12:26 PM <peterz@xxxxxxxxxxxxx> wrote:
> On Fri, Sep 04, 2020 at 06:00:31PM +0200, Christian Göttsche wrote:
> > sched_setattr(2) does via kernel/sched/core.c:__sched_setscheduler()
> > issue a CAP_SYS_NICE audit event unconditionally, even when the requested
> > operation does not require that capability / is un-privileged.
> >
> > Perform privilged/unprivileged catigorization first and perform a
> > capable test only if needed.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > ---
> > kernel/sched/core.c | 65 ++++++++++++++++++++++++++++++++-------------
> > 1 file changed, 47 insertions(+), 18 deletions(-)
> So who sodding cares about audit, and why is that a reason to make a
> trainwreck of code?

The commit message should be more specific. I believe Christian is
talking about the case where SELinux or other LSM denies the
capability, in which case the denial is usually logged to the audit
log. Obviously, we don't want to get a denial logged when the
capability wasn't actually required for the operation to be allowed.

Unfortunately, the capability interface doesn't provide a way to first
get the decision value and only trigger the auditing when it was
actually used in the decision, so in complex scenarios like this the
caller needs to jump through some hoops to avoid such false-positive
denial records.

Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.